SQL injection implementation and prevention
Download as PPTX, PDF1 like295 views
SQL injection is a code injection technique where malicious SQL statements are inserted into an entry field for execution (usually to gain access to a database). It works by exploiting applications that concatenate SQL statements and user input without validation or encoding. The document discusses types of SQL injection like error-based, union-based, and blind SQL injection. It also provides examples of SQL injection and recommendations to avoid it like using prepared statements with bound variables and checking/sanitizing all user input.
![How SQL Injection works
In order to run malicious SQL queries against a database server, an attacker must first
find an input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to
directly include user input within an SQL statement. An attacker can then insert a
payload that will be included as part of the SQL query and run against the database
server.
The following server-side pseudo-code is used to authenticate users to the web
application.
# Define POST variables uname = request.POST['username'] passwd =
request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users
WHERE username=’” + uname + “’ AND password=’” + passwd + “’” # Execute the SQL
statement database.execute(sql)
03](https://image.slidesharecdn.com/sql-injection1-170813064442/85/SQL-injection-implementation-and-prevention-4-320.jpg)
SQL injection implementation and prevention
- 1. SQL INJECTION By……… Rejaul Islam Royel
- 2. Which Topic will covered. Definition of SQL Injection How SQL Injection works Types of SQL Injection Error based sql injection Avoidance technique Some Example 1
- 3. SQL Injection? SQL INJECTION IS A CODE INJECTION TECHNIQUE THAT MIGHT DESTROY YOUR DATABASE. SQL INJECTION IS A TYPE OF SECURITY EXPLOIT IN WHICH THE ATTACKER ADDS STRUCTURED QUERY LANGUAGE (SQL) CODE TO A WEB FORM INPUT BOX TO GAIN ACCESS TO RESOURCES OR MAKE CHANGES TO DATA. AN SQL QUERY IS A REQUEST FOR SOME ACTION TO BE PERFORMED ON A DATABASE. TYPICALLY, ON A WEB FORM FOR USER AUTHENTICATION, WHEN A USER ENTERS THEIR NAME AND PASSWORD INTO THE TEXT BOXES PROVIDED FOR THEM, THOSE VALUES ARE INSERTED INTO A SELECT QUERY. 02
- 4. How SQL Injection works In order to run malicious SQL queries against a database server, an attacker must first find an input within the web application that is included inside of an SQL query. In order for an SQL Injection attack to take place, the vulnerable website needs to directly include user input within an SQL statement. An attacker can then insert a payload that will be included as part of the SQL query and run against the database server. The following server-side pseudo-code is used to authenticate users to the web application. # Define POST variables uname = request.POST['username'] passwd = request.POST['password'] # SQL query vulnerable to SQLi sql = “SELECT id FROM users WHERE username=’” + uname + “’ AND password=’” + passwd + “’” # Execute the SQL statement database.execute(sql) 03
- 5. Types of Sql Injection 1. ERROR-BASED SQLI 2. UNION-BASED SQLI 3. INFERENTIAL SQLI (BLIND SQLI) 3.1. BOOLEAN-BASED (CONTENT-BASED) BLIND SQLI 3.2. TIME-BASED BLIND SQLI 04
- 6. Error-based SQLi Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database Union-based SQLi Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response. 05
- 7. Inferential SQLi (Blind SQLi) Inferential SQL Injection, unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection. In an inferential SQLi attack, no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “blind SQL Injection attacks”). Instead, an attacker is able to reconstruct the database structure by sending payloads, observing the web application’s response and the resulting behavior of the database server. 06
- 8. Boolean-based (content-based) Blind SQLi Boolean-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result. Depending on the result, the content within the HTTP response will change, or remain the same. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned 07
- 9. Time-based Blind SQLi Time-based SQL Injection is an inferential SQL Injection technique that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE. Depending on the result, an HTTP response will be returned with a delay, or returned immediately. This allows an attacker to infer if the payload used returned true or false, even though no data from the database is returned. 08
- 10. Error based sql injection Step 1: Break The Query Original URL www.examples.com/?id=1 Broken URL www.examples.com/?id=1’ or www.examples.com/?id=1” Step 2: Fix The Query www.examples.com/?id=1’ -- or www.examples.com/?id=1” -- 09
- 11. Step 3: Finding Columns URL www.examples.com/?id=1’ order by some value -- Step 4: checking which columns can be used (assuming we found 3 columns) www.examples.com/?id=-1’ union select 1,2,3 -- Result: 2 Step 5: Extracting Information www.examples.com/?id=-1’ union select 1,table_name,3 from information_sachem.tables where table_schema = database()-- 10
- 12. Avoidance technique Never connect to the database as a super user or as the database owner. Use always customized users with very limited privileges. Use prepared statements with bound variables. Check if the given input has the expected data type. If the application waits for application waits for numerical input, consider verifying data with ctype_digit(), or silently change its type using settype(). 11
- 13. Avoidance technique Quote each non numeric user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.). Generic functions like addslashes() are useful only in a very specific environment. Do not print out any database specific information, especially about the schema, by fair means or foul. You may use stored procedures and previously defined cursors to abstract data access 12
- 14. Ctype_digit() 13