sql injection
play

SQL INJECTION by Fabrizio dAmore faculty of Ingegneria - PowerPoint PPT Presentation

Feb 10, 2024 •287 likes •499 views

SQL INJECTION by Fabrizio dAmore faculty of Ingegneria dellInformazione Universit di Roma La Sapienza WHAT IT IS , WHAT IT IS NOT December 2009 capability of giving SQL commands to a database engine exploiting a pre-existing

  1. SQL INJECTION by Fabrizio d’Amore faculty of Ingegneria dell’Informazione Università di Roma “La Sapienza”

  2. WHAT IT IS , WHAT IT IS NOT December 2009 ¢ capability of giving SQL commands to a database engine exploiting a pre-existing application ¢ not exclusive to Web applications, but widespread SQL Injection, by F. d'Amore vulnerability in Web sites — vulnerabilities exist in 60% of Web sites they have tested (from: OWASP, Open Web Application Security Project) ¢ not due to inadequate development of Web applications, nor a fault of the Web / RDBMS server — developers not yet sufficiently aware — low-quality info in the Web on how to prevent the problem — detailed info in the Web on how to exploit vulnerabilities 2

  3. WHAT APPLICATIONS ARE VULNERABLE ? December 2009 ¢ in practice, all databases based on SQL — MS SQL Server, Oracle, MySQL, Postgres, DB 2, Informix etc. SQL Injection, by F. d'Amore ¢ databases accessed thru applications based on most of modern (and non-modern) technologies — Perl, CGI, ASP, PHP, XML, Javascript, VB, C, Java, Cobol etc. 3

  4. HOW IT WORKS December 2009 ¢ client injects SQL code into the input data of an application SQL Injection, by F. d'Amore — typical scenario: application dynamically creates SQL query using altered data (obtained from outside), without good validation of such data ¢ target of the attack: server of an application ¢ goal: allow the client to access the database used by the attacked server 4

  5. EXAMPLE December 2009 ¢ if the following query returns data... SELECT * FROM users SQL Injection, by F. d'Amore WHERE login = 'damore' AND password = 'qwerty' ¢ example of login syntax ASP/MS SQL Server var sql = "SELECT * FROM users WHERE login = '" + formusr + "' AND password = '" + formpwd + "'"; ¢ if — formusr = ' or 1=1 -- — formpwd arbitrary ¢ query becomes into SELECT * FROM users WHERE login = '' or 1=1 5 -- AND password = ...

  6. SQL INJECTION ATTACK December 2009 ¢ attacker can access database in read/write/admin — depends on the vulnerability of the specific DBMS SQL Injection, by F. d'Amore ¢ impact of the attack is potentially HIGH 6

  7. POSSIBLE HTML FORM December 2009 ¢ from Wikipedia ( http://it.wikipedia.org/wiki/SQL_injection) SQL Injection, by F. d'Amore <form action='login.php' method='post'> <form action='login.php' method='post'> Username: <input type='text' name='user' /> Username: <input type='text' name='user' /> Password: <input type='password' name='pwd' /> Password: <input type='password' name='pwd' /> <input type='submit' value='Login' /> <input type='submit' value='Login' /> </form> </form> 7

  8. POSSIBLE LOGIN . PHP FILE December 2009 <?php //Prepares query, in a variable $query = "SELECT * FROM users WHERE user='".$_POST SQL Injection, by F. d'Amore ['user']."' AND pwd='".$_POST['pwd']."'"; //Execute query (suppose a valid connection to database is already open and its state is stored in $db) $sql = mysql_query($query,$db); //Count number of lines that have been found if(mysql_affected_rows($sql)>0) { //authenticated! } ?> 8

  9. CONSEQUENCES December 2009 ¢ if script does not make input analysis and validation, user can send SQL Injection, by F. d'Amore user = blah pwd = ' OR user=‘blah' ¢ we get the query SELECT * FROM users WHERE user=‘blah' AND pwd='' OR user=‘blah' ¢ if at least one tuple does exist, attacker obtains authenticated access 9

  10. OTHER ( WORSE ) CONSEQUENCES December 2009 ¢ symbol ';' is exploited, it allows to concatenate commands SQL Injection, by F. d'Amore pwd = ' OR user=‘blah'; DROP TABLE users; ¢ or pwd = ' OR user=‘blash'; INSERT INTO users (...) VALUES (...); 10

  11. LINKS December 2009 ¢ examples — http://www.owasp.org/index.php/SQL_Injection — http://www.unixwiz.net/techtips/sql-injection.html SQL Injection, by F. d'Amore ¢ Sqlninja : example of tool for supporting attacks http://sqlninja.sourceforge.net/ — it tries to use SQL injection on applications based on MS SQL Server — its goal is to obtain an interactive shell on the remote DB server ¢ WebScarab : example of tool for prevention http://www.owasp.org/index.php/ Category:OWASP_WebScarab_Project 11 — powerful, good prevention, even against other types of attack

  12. PREVENTING SQL INJECTION December 2009 ¢ input validation — client side SQL Injection, by F. d'Amore — to be considered within the wider subject of software correctness and robustness ¢ parameterized queries — based on predefined query strings ¢ use of stored procedures — subroutines that are defined at server side, available to applications accessing the RDBMS 12 — can validate input at server side

  13. INPUT VALIDATION AT CLIENT SIDE December 2009 ¢ use scripts, e.g., Javascript SQL Injection, by F. d'Amore ¢ can be made weaker by the security settings of the browser ¢ in some cases, can be bypassed thru suitable change of the HTML source code 13

  14. PARAMETERIZED QUERIES December 2009 ¢ avoid the traditional dynamic query string, where pre-defined substrings have to be replaced by user defined text SQL Injection, by F. d'Amore ¢ based on pre-defined query strings, where suitable parameters have to be inserted ¢ example: Java Prepared Statement 14

  15. JAVA PREPARED STATEMENTS December 2009 ¢ see Sun tutorial on JDBC ( http://java.sun.com/docs/books/tutorial/jdbc/basics/ index.html) SQL Injection, by F. d'Amore ¢ technique based on Java class PreparedStatement — initially proposed for improving the speed of frequently executed queries ¢ when PreparedStatement is instantiated, an SQL query is built (and compiled): it may contain the symbol '?' to denote possible parameters necessary to query ¢ query structure is fixed 15

  16. PRACTIC EXAMPLE December 2009 // define query schema // define query schema String String selectStatement selectStatement = "SELECT * FROM User WHERE = "SELECT * FROM User WHERE userId userId = ? "; = ? "; SQL Injection, by F. d'Amore // instantiate // instantiate PreparedStatement PreparedStatement object by means of object by means of purposed method of db connector (class Connection) purposed method of db connector (class Connection) PreparedStatement PreparedStatement prepStmt prepStmt = = con.prepareStatement con.prepareStatement (selectStatement selectStatement); ); // provide parameter thru // provide parameter thru setXXX setXXX prepStmt.setString prepStmt.setString(1, (1, userId userId); // 1 -> first ); // 1 -> first parameter parameter // execute query // execute query 16 ResultSet ResultSet rs rs = = prepStmt.executeQuery prepStmt.executeQuery(); ();

  17. VULNERABILITIES IN PREPARED STATEMENTS December 2009 ¢ Java prepared statements, if not carefully packed, may be vulnerable to SQL injection SQL Injection, by F. d'Amore ¢ example String strUserName String strUserName = = request.getParameter request.getParameter(" ("Txt_UserName Txt_UserName"); "); PreparedStatement PreparedStatement prepStmt prepStmt = = con.prepareStatement con.prepareStatement("SELECT * FROM user ("SELECT * FROM user WHERE WHERE userId userId = '+ = '+strUserName strUserName+'"); +'"); ¢ a prepared statement is built, using a non- validated input parameter! 17

  18. STORED PROCEDURES : WHAT AND WHY December 2009 ¢ compiled procedures (subroutines) made available at server side to build/support batches operating on DB SQL Injection, by F. d'Amore ¢ code is optimized, but DB server incurs higher processing costs — also improve code readability ¢ they help to limit SQL injection attacks — but they are not exempt from vulnerabilities 18

  19. USE OF STORED PROCEDURES December 2009 ¢ also known as proc , sproc , StoPro or SP , belong to data dictionary SQL Injection, by F. d'Amore ¢ typical uses — data validation — access control mechanisms — centralization of logic that was initially contained inside the applications ¢ similar to the user-defined functions, but with different syntax — functions can appear everywhere in SQL strings, this is not true for stored procedure calls 19

  20. DATA VALIDATION THRU SP December 2009 A few controls (partial list) ¢ format (e.g., digits or dates) ¢ types (e.g., if text has been inserted when digits are SQL Injection, by F. d'Amore expected) ¢ range (check data that should belong to an admissible interval) ¢ mandatory data ¢ parity control ¢ orthography and grammar ¢ consistence M/F, S/P ¢ cross-system consistence (data on several systems; e.g., name + surname vs. surname + name) ¢ existence of referred files 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits Unit February, 2019 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Session Overview Overview: UIC Online

1.01k views • 79 slides
Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

1S-1 An Automatic Place-and-Routed Two- Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro Ueno, Teerachot Siriburanon, Satoshi Kondo, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of

423 views • 10 slides
NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for market expectations Modern cars Demanding users Workshop time saving KME trademark Major assumptions of NEVO system Simple Quick to

222 views • 21 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

HIGH QUALITY INJECTION www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL PARTS. INJECTION MOLDING OF MISCELLANEOUS THERMOPLASTICS. HIGH QUALITY INJECTION MAIN OBJECTIVE: PERFORMANCE BASED ON

745 views • 33 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides
Three types of information systems: Information-Retrieval Systems (IR) Search large bodies

Three types of information systems: Information-Retrieval Systems (IR) Search large bodies

Three types of information systems: Information-Retrieval Systems (IR) Search large bodies of information which are not specifically formatted as formal data bases. Web search engine Keyword search of a text base Typically

305 views • 13 slides
Data Quality Services SQL Server 2012 Ash Tewari @ashtewari ashtewari.com Data Quality

Data Quality Services SQL Server 2012 Ash Tewari @ashtewari ashtewari.com Data Quality

Data Quality Services SQL Server 2012 Ash Tewari @ashtewari ashtewari.com Data Quality Services // Ash Tewari // @ashtewari What is Data Quality? The degree to which the data is fit for its intended use. Data Quality Services // Ash Tewari

1.14k views • 24 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
Crucial data privacy and protection insights for 2019 Richard Macaskill and Kendra Little 20

Crucial data privacy and protection insights for 2019 Richard Macaskill and Kendra Little 20

Crucial data privacy and protection insights for 2019 Richard Macaskill and Kendra Little 20 years Oracle and SQL Server experience Product Manager at Redgate Data Governance Richard Macaskill bolshevik! Richard.Macaskill@Red-Gate.com

638 views • 50 slides
CS 327E Lecture 1 Shirley Cohen January 25, 2016 Agenda Announcements Homework for

CS 327E Lecture 1 Shirley Cohen January 25, 2016 Agenda Announcements Homework for

CS 327E Lecture 1 Shirley Cohen January 25, 2016 Agenda Announcements Homework for today Reading Quiz Concept Questions Homework for next time Announcements Reading quizzes and class participation grades

458 views • 19 slides
(R)DBMSs today DMBS Approx. market share (Microsoft Access) Database Systems Oracle

(R)DBMSs today DMBS Approx. market share (Microsoft Access) Database Systems Oracle

3/3/2014 (R)DBMSs today DMBS Approx. market share (Microsoft Access) Database Systems Oracle 40-50% IBM DB2 20-30% Microsoft SQL Server ~15% RDBMSs Sybase 3% The NoSQL movement () MySQL 1% PostgreSQL 0.5% 1 2 Oracle

399 views • 6 slides
CS 398 ACC Spark SQL Prof. Robert J. Brunner Ben Congdon Tyler Kim MP4 Hows it going?

CS 398 ACC Spark SQL Prof. Robert J. Brunner Ben Congdon Tyler Kim MP4 Hows it going?

CS 398 ACC Spark SQL Prof. Robert J. Brunner Ben Congdon Tyler Kim MP4 Hows it going? Final Office Hours: After this lecture // Tomorrow 4-6pm - Please avoid Low-Effort/Private Piazza post Final Autograder run: - Tonight ~9pm -

654 views • 38 slides
Introduction to CNNs and RNNs with PyTorch Introduction to CNNs and RNNs with PyTorch Presented

Introduction to CNNs and RNNs with PyTorch Introduction to CNNs and RNNs with PyTorch Presented

Introduction to CNNs and RNNs with PyTorch Introduction to CNNs and RNNs with PyTorch Presented by: Adam Balint Presented by: Adam Balint Email: balint@uoguelph.ca Email: balint@uoguelph.ca Working with more complex data Working with more

608 views • 25 slides

More recommend