BY :- RAVINDRA SINGH RATHORE

BRANCH :- COMPUTER SCIENCE

BATCH :- B3

SQL INJECTIONS

SQL Injections

The ability to inject SQL

commands into the database

engine

through an existing application

What is SQL Injection?

SQL Injection

Generally, the purpose of SQL injection is to convince the application to run SQL code that was not intended.

SQL injection occurs when an application processes user-provided data to create a SQL statement without first validating the input.

SQL Injection

The user input is then submitted to a web application database server for execution.

When successfully exploited, SQL injection can give an attacker access to database content or allow the hacker to remotely execute system commands.

In the worst-case scenario, the hacker can take control of the server that is hosting the database.

6

SQL Injection

This exploit can give a hacker access to a remote shell into the server file system.

The impact of a SQL injection attacks depends on – where the vulnerability is in the code, – how easy it is to exploit the vulnerability, – what level of access the application has to the

database. Theoretically, SQL injection can occur in any

type of application, but it is most commonly associated with web applications.

The web applications are easy targets because by their very nature they are open to being accessed from the Internet.

It is probably the most common Website vulnerability today!

It is a flaw in "web application" development, it is not a DB or web server problem Most programmers are still not aware of this problem A lot of the tutorials & demo “templates” are vulnerable Even worse, a lot of solutions posted on the Internet are

not good enough In our pen tests over 60% of our clients turn out

to be vulnerable to SQL Injection

HOW COMMON IS IT?

8

How does SQL Injection work?

Common vulnerable login query SELECT * FROM users WHERE login = ‘silent'AND password = ‘hexor'

(If it returns something then login!)

ASP/MS SQL Server login syntaxvar sql = "SELECT * FROM usersWHERE login = '" + formusr + “’ AND password = '" + formpwd + "'";

9

Injecting through Strings

formusr = ' or 1=1 – – formpwd = anything

Final query would look like this:SELECT * FROM usersWHERE username = ' ' or 1=1

– – AND password = 'anything'

10

SQL Injection Defense

It is quite simple: input validation The real challenge is making best

practices consistent through all your codeEnforce "strong design" in new applicationsYou should audit your existing websites and

source code Even if you have an air tight design,

harden your servers

11

Define data types for each field Implement stringent "allow only good" filters

If the input is supposed to be numeric, use a numeric variable in your script to store it

Reject bad input rather than attempting to escape or modify it

Input Validation

12

1. Run DB as a low-privilege user account.2. Remove unused stored procedures and

functionality or restrict access to administrators.

3. Change permissions and remove "public" access to system objects.

4. Audit password strength for all user accounts.5. Firewall the server so that only trusted clients

can connect to it (typically only: administrative network, web server and backup server).

Harden the Server

13

You may want to react to SQL injection attempts by: Logging the attempts Sending email alerts Blocking the offending IP Sending back intimidating error messages:

"WARNING: Improper use of this application has been detected. A possible attack was identified. Legal actions will be taken."

Check with your lawyers for proper wording

This should be coded into your validation scripts

Detection and Dissuasion

14

SQL Injection is a fascinating and dangerous vulnerability

All programming languages and all SQL databases are potentially vulnerable

Protecting against it requires strong design correct input validation hardening

Conclusion

THANK YOU…