Sql Injection

Views:
 
Category: Education
     
 

Presentation Description

Sql Injection Attacks

Comments

Presentation Transcript

PowerPoint Presentation:

Database Security Database system

PowerPoint Presentation:

Aakif hussain Bhat Course: B-tech……. Branch :CS………. Presenting & performing by

PowerPoint Presentation:

Database Security Database security ensures that only authorized users can perform authorized activities at authorized times Security -- Access control

PowerPoint Presentation:

Three Goals of DB Security Secrecy or confidentiality refers to the protection of data against unauthorized disclosure Integrity refers to the prevention of unauthorized and improper data modification Availability refers to the prevention and recovery from hardware and software errors and from malicious data access denial making the database system unavailable 9- 4

PowerPoint Presentation:

Example Payroll Database Salaries should not be released to unauthorized individuals Salaries should only be modified by those that are properly authorized Paychecks should be paid out on time

PowerPoint Presentation:

DBMS Security Model

DBMS Security Guidelines:

DBMS Security Guidelines Run DBMS behind a firewall, but plan as though the firewall has been breached Apply the latest operating system and DBMS service packs and fixes Use the least functionality possible Protect the computer that runs the DBMS Manage accounts and passwords Application security

SQL Injection Attack:

SQL Injection Attack SQL injection attack occurs when data from the user is used to modify a SQL statement User input that can modify a SQL statement must be carefully edited to ensure that only valid input has been received and that no additional SQL syntax has been entered ‘1’=’1’

PowerPoint Presentation:

SQL Injection Attack (SQLIA) is considered one of the top 10 web application vulnerabilities of 2007 and 2011 by the Open Web Application Security Project The Storm Worm is one representation of Compounded SQLIA F A K E

PowerPoint Presentation:

S Q L - I N J E C T

PowerPoint Presentation:

James Walden Slides, Northern Kentucky University

Example SQL Injection Code:

Example SQL Injection Code Example: users are asked to enter their names into a Web form textbox User input: ' B lack hacker ' OR TRUE ' SELECT * FROM EMPLOYEE WHERE EMPLOYEE.Name = ‘Black hacker' OR TRUE; Result: every row of the EMPLOYEE table will be returned

Password Example:

Password Example Enter Username: Enter Password: Submit

Example http calls with SQL:

Example http calls with SQL http://duck/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login_name =‘ barak '--

PowerPoint Presentation:

Blind Sql injection --------------- causes

SQL Injection Causes:

SQL Injection Causes Primarily from string building Building a SQL String from user input is DANGEROUS Input must be validated [sanitized]

PowerPoint Presentation:

Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker This type of attack can become time-intensive because a new statement must be crafted for each bit recovered Sql injection

PowerPoint Presentation:

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1' = '1‘ SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='2'; ; One type of blind SQL injection forces the database to evaluate a logical statement on an ordinary application screen. continue

PowerPoint Presentation:

British Telecom has dismissed the significance of supposed vulnerabilities on its systems detailed by infamous hacker Unu on Tuesday. The Romanian hacker posted screenshots illustrating what he claimed highlighted SQL injections in a posting at Hackersploit.org. BT claimed the vulnerability only existed on a test syste http://www.theregister.co.uk/2009/03/11/bt_website_security_flap/

PowerPoint Presentation:

Auditing is the process of tracking who accesses the database and the resources accessed Done by writing to a log file What is tracked: User login/logout Data accessed http://adbc.kennesaw.edu->Security ->Database Auditing

PowerPoint Presentation:

Data theft and breaches from cybercrime may have cost businesses as much as US$1 trillion globally http://www.internetnews.com/xSP/article.php/3493156

PowerPoint Presentation:

Elisa Bertino, Elisa and Sandhu, (2005, Jan-Mar). Database Security—Concepts, Approaches, and Challenges. IEEE Transactions on Dependable and Secure Computing, vol 2, no 1 Web application incident database: http://www.webappsec.org/projects/whid/byid_id_2001-6.shtml Data Loss Archive and Database http://attrition.org/dataloss/ .

PowerPoint Presentation:

THANK YOU THANK YOU THANK YOU

authorStream Live Help