Recommended
More Related Content
Similar to Approaches to detect and prevent sql injection in web applications
Similar to Approaches to detect and prevent sql injection in web applications (20)
Recently uploaded
Recently uploaded (20)
Approaches to detect and prevent sql injection in web applications
- 1. Presented by Sandeep Kumbhar M.Tech (CSE), RNSIT
- 2. Introduction Types of SQL Injection Approaches to detect SQL Injection How to prevent SQL Injection Conclusion Dept. of CSE, RNSIT 2012
- 3. ➢What is SQL Injection? 1 Dept. of CSE, RNSIT 2012
- 4. 2 Dept. of CSE, RNSIT 2012
- 5. ➢ Tautology Example – Select * from <tablename> where userId = <id> and password = <wrongPassword> or 1=1; ➢ Logically incorrect queries Example – Select * from <tablename> where userId = ‘xyz”” and password = <wrongPassword> or 1=1; 3 Dept. of CSE, RNSIT 2012
- 6. ➢ Union queries ➢ Piggy-backed queries 4 Dept. of CSE, RNSIT 2012
- 7. ➢ Stored Procedures Example – Select * from <tablename> where userId = <id> and password = <Password> or 1=1; SHUTDOWN; ➢ Blind Injection Example- SELECT name FROM <tablename> WHERE id=<username> and 1 =0 -- AND pass = SELECT name FROM <tablename> WHERE id=<username> and 1 = 1 -- AND pass = 5 Dept. of CSE, RNSIT 2012
- 8. ➢ Timing Attacks Example- Declare @s varchar(500) select @s = db_nameO if (ascii(substring(@s, I, I)) & ( power(3, 0))) > O waitfor delay '0:0:10‘ ➢ Alternate Encoding Example- SELECT name FROM <tablename> WHERE id=’’and password=O;exec(char(O x73687574646j776e)) 6 Dept. of CSE, RNSIT 2012
- 9. Mechanism to detect SQL injection attacks. Knowledge of SQL injection vulnerabilities in web applications. IDS Approach ◦ Generic Signature ◦ Accurate & Taint Propagation ◦ Syntax-aware evaluation ◦ Minimal Deployment Requirements 7 Dept. of CSE, RNSIT 2012
- 10. Dept. of CSE, RNSIT 2012 8 Fig-1: Identification of trusted and untrusted data
- 11. Dept. of CSE, RNSIT 2012 9 Fig-2 shows the SQL Injection Detection Process
- 12. For Database Administration 1. Install the database on a different machine than the Web server or application server. 2. Disable all the default accounts and passwords disabled, including the super-user account 3. Create user account that has the minimum privileges necessary for that application to access the data. 4. Identify the list of SQL statements that will be used by the application and only allow such SQL statements, e.g. Select, Insert, Update, etc. 5. Use read-only views for SQL statements that do not require any inserts or updates, e.g. Search functionality or Login functionality 10 Dept. of CSE, RNSIT 2012
- 13. For Developer 1. Sanitize the input by validating it in your code 2. Use parameterized queries instead of dynamic queries. For example: in Java, use Prepared Statement instead of Statement Object 3.Employ proper error handling and logging within the application so that a database error or any other type of technical information is not revealed to the user 4. Choose names for tables and fields that are not easy to guess 5. Use stored procedures instead of raw SQL wherever possible 11 Dept. of CSE, RNSIT 2012
- 14. Security is still one of the major issues all across the globe. It is not difficult to prevent SQL injection attacks. Developer training has been very helpful in increasing their understanding of website vulnerabilities and the extent of damage they can do. Dept. of CSE, RNSIT 2012 12
- 15. “Precaution is better than cure.” 13 Dept. of CSE, RNSIT 2012
- 16. [1] A. Baranwal Approaches To Detect SQLinjection and XSS in Web Application EECE 571B, Term Survey Paper, April 2012 [2] Protect your Websites from SQL Injection Attacks February 2010 Anurag Agarwal Director of Education Services, WhiteHat Security www.whitehatsec.com [3] A. SRAVANTHI* et al. ISSN: 2250–3676 [IJESAT] International Journal Of Engineering Science & Advanced Technology Volume-2, Issue-3, 664 – 671 [4] http://www.owasp.org/index.php/Top_10_2010-A1-Injection, retrieved on 13/01/2010 14 Dept. of CSE, RNSIT 2012