(cpsc620) sanjay tibile vinay deore. agenda database and sql what is sql injection? types ...
TRANSCRIPT
SQL Injection
(CPSC620)
Sanjay Tibile
Vinay Deore
Agenda
Database and SQL
What is SQL Injection?
Types
Example of attack
Prevention
References
Database :A database is an organized collection of data for one or more purposes in digital form.
SQL : It is a programming language designed for managing data in relational database management systems (RDBMS).
SQL Injection:SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website to dump the database content to the attacker.
Many web applications take user input from a form, Often this user input is used literally in the construction of a SQL query submitted to a database.
Examples :Brute-force password guessingSELECT email, passwd, login_id, full_name FROM members WHERE email = '[email protected]' AND passwd = 'hello123';
The database isn't readonlySELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; DROP TABLE members;
Adding a new memberSELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; INSERT INTO members ('email','passwd','login_id','full_name') VALUES ('[email protected]','hello','steve','Steve Friedl');
Mail me a passwordSELECT email, passwd, login_id, full_name FROM members WHERE email = 'x'; UPDATE members SET email = '[email protected]' WHERE email = '[email protected]';
Types
Incorrect Type Handling
Poorly Filtered Strings
White Space Multiplicitytackers get hold of the error information
Using SQL injections, attackers can
Add new data to the databaseCould be embarrassing to find yourself selling some inappropriate items on your sitePerform an INSERT in the injected SQL
Modify data currently in the databaseCould be very costly to have an expensive item suddenly be deeply ‘discounted’Perform an UPDATE in the injected SQL
Often can gain access to other user’s system capabilities by obtaining their password
Examples: In January 2008, tens of thousands of PCs were
infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store.
On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised by TinKode using SQL blind injection.
In August, 2011, Hacker Steals User Records From Nokia Developer Site using "SQL injection“.
Sony Playstation user data compromised.
DefensesPrivilege Restrictions Restrict functions that are not necessary for
the application
Use stored procedures for database access use stored procedures for performing access
on the application's behalf, which can eliminate SQL entirely.
More Defenses Check syntax of input for validity
Many classes of input have fixed languagesEmail addresses, dates, part numbers, etc.Verify that the input is a valid string in the languageSometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow theseIf you can exclude quotes and semicolons that’s good
Have length limits on input Many SQL injection attacks depend on entering long
strings
Limit database permissions and segregate users Even a "successful" SQL injection attack is going to
have much more limited success.
Isolate the webserver For instance, putting the machine in a DMZ with
extremely limited pinholes.
Configure database error reportingDefault error reporting often gives away information that is valuable for attackers (table name, field name, etc.)Configure so that this information is never exposed to a user
If possible, use bound variablesSome libraries allow you to bind inputs to variables inside a SQL statementPERL example (from http://www.unixwiz.net/techtips/sql-injection.html)$sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email);
References:-
http://www.unixwiz.net/techtips/sql-injection.html
http://msdn.microsoft.com/en-us/library/ms161953.aspx
http://php.net/manual/en/security.database.sql-injection.php
http://en.wikipedia.org/wiki/SQL_injection
Thank You!!!