Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Approaches to detect and prevent sql injection in web applications

SQL injection (SQLi) is a type of cyberattack against web applications that use SQL databases such as IBM Db2, Oracle, MySQL, and MariaDB. As the name suggests, the attack involves the injection of malicious SQL statements to interfere with the queries sent by a web application to its database. Here we will see the approaches to detect and prevent SQL injection in web applications.

  • Be the first to comment

  • Be the first to like this

Approaches to detect and prevent sql injection in web applications

  1. 1. Presented by Sandeep Kumbhar M.Tech (CSE), RNSIT
  2. 2.  Introduction  Types of SQL Injection  Approaches to detect SQL Injection  How to prevent SQL Injection  Conclusion Dept. of CSE, RNSIT 2012
  3. 3. ➢What is SQL Injection? 1 Dept. of CSE, RNSIT 2012
  4. 4. 2 Dept. of CSE, RNSIT 2012
  5. 5. ➢ Tautology Example – Select * from <tablename> where userId = <id> and password = <wrongPassword> or 1=1; ➢ Logically incorrect queries Example – Select * from <tablename> where userId = ‘xyz”” and password = <wrongPassword> or 1=1; 3 Dept. of CSE, RNSIT 2012
  6. 6. ➢ Union queries ➢ Piggy-backed queries 4 Dept. of CSE, RNSIT 2012
  7. 7. ➢ Stored Procedures Example – Select * from <tablename> where userId = <id> and password = <Password> or 1=1; SHUTDOWN; ➢ Blind Injection Example- SELECT name FROM <tablename> WHERE id=<username> and 1 =0 -- AND pass = SELECT name FROM <tablename> WHERE id=<username> and 1 = 1 -- AND pass = 5 Dept. of CSE, RNSIT 2012
  8. 8. ➢ Timing Attacks Example- Declare @s varchar(500) select @s = db_nameO if (ascii(substring(@s, I, I)) & ( power(3, 0))) > O waitfor delay '0:0:10‘ ➢ Alternate Encoding Example- SELECT name FROM <tablename> WHERE id=’’and password=O;exec(char(O x73687574646j776e)) 6 Dept. of CSE, RNSIT 2012
  9. 9.  Mechanism to detect SQL injection attacks.  Knowledge of SQL injection vulnerabilities in web applications.  IDS Approach ◦ Generic Signature ◦ Accurate & Taint Propagation ◦ Syntax-aware evaluation ◦ Minimal Deployment Requirements 7 Dept. of CSE, RNSIT 2012
  10. 10. Dept. of CSE, RNSIT 2012 8 Fig-1: Identification of trusted and untrusted data
  11. 11. Dept. of CSE, RNSIT 2012 9 Fig-2 shows the SQL Injection Detection Process
  12. 12.  For Database Administration 1. Install the database on a different machine than the Web server or application server. 2. Disable all the default accounts and passwords disabled, including the super-user account 3. Create user account that has the minimum privileges necessary for that application to access the data. 4. Identify the list of SQL statements that will be used by the application and only allow such SQL statements, e.g. Select, Insert, Update, etc. 5. Use read-only views for SQL statements that do not require any inserts or updates, e.g. Search functionality or Login functionality 10 Dept. of CSE, RNSIT 2012
  13. 13.  For Developer 1. Sanitize the input by validating it in your code 2. Use parameterized queries instead of dynamic queries. For example: in Java, use Prepared Statement instead of Statement Object 3.Employ proper error handling and logging within the application so that a database error or any other type of technical information is not revealed to the user 4. Choose names for tables and fields that are not easy to guess 5. Use stored procedures instead of raw SQL wherever possible 11 Dept. of CSE, RNSIT 2012
  14. 14.  Security is still one of the major issues all across the globe.  It is not difficult to prevent SQL injection attacks.  Developer training has been very helpful in increasing their understanding of website vulnerabilities and the extent of damage they can do. Dept. of CSE, RNSIT 2012 12
  15. 15. “Precaution is better than cure.” 13 Dept. of CSE, RNSIT 2012
  16. 16. [1] A. Baranwal Approaches To Detect SQLinjection and XSS in Web Application EECE 571B, Term Survey Paper, April 2012 [2] Protect your Websites from SQL Injection Attacks February 2010 Anurag Agarwal Director of Education Services, WhiteHat Security www.whitehatsec.com [3] A. SRAVANTHI* et al. ISSN: 2250–3676 [IJESAT] International Journal Of Engineering Science & Advanced Technology Volume-2, Issue-3, 664 – 671 [4] http://www.owasp.org/index.php/Top_10_2010-A1-Injection, retrieved on 13/01/2010 14 Dept. of CSE, RNSIT 2012

×