1 / 13

SQL injection

SQL injection. Figure 1 By Kaveri Bhasin. Motive of SQL Injection. Obtain data from database Modify system functions Insert data in the backend database. Figure 2. Victims . Mostly Web applications with user input facilities. . Simplest Procedure. Guess field names.

zalman
Download Presentation

SQL injection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SQL injection Figure 1 By Kaveri Bhasin

  2. Motive of SQL Injection • Obtain data from database • Modify system functions • Insert data in the backend database

  3. Figure 2.

  4. Victims Mostly Web applications with user input facilities.

  5. Simplest Procedure • Guess field names. • Construct a query and check for SQL status • If server gives error, field name is incorrect, else lets proceed…

  6. Cont. • With the correct field, construct SQL query and inject Example: 101 AND Len(( SELECT first_name FROM user_data WHERE userid =15613)) = 6

  7. Paper overview • Types of Vulnerabilities • Measures • Tools (Webgoat)

  8. Types of vulnerabilities • Database system vulnerability • Type handling • Injected filtered escape characters

  9. Measures • Web application design: Analyze against vulnerabilities • Use strongly defined types and validation for user input • Use parameterized queries

  10. Tools • Webgoat Developed by OWASP.org Free source to experiment and learnt about SQL injection

  11. Conclusion SQL injection is a serious concern A single design error can be disastrous for the security of sensitive information

  12. References • Figure 1. http://ocliteracy.com/techtips/sql-injection.html • Figure 2. “Towards an Aspect-Oriented Intrusion Detection Framework” • Zhi Jian Zhu and Mohammad Zulkernine • http://www.owasp.org/ • http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf

More Related