Database SQL injection security problem handling with examples

Database SQL injection security problem handling with examples
Slide Note
Embed
Share

This presentation delves into the detection, prevention, and handling of SQL injection attacks, showcasing examples and tools for enhancing database security measures.

  • SQL Injection
  • Security
  • Database
  • Prevention
  • Lehman College
placido_m
placido_m Follow

Uploaded on Feb 25, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Database SQL injection security problem handling with examples Lehman College, The City University of New York 2019 International Conference on Computational Science and Computational Intelligence (CSCI) 110525015 1

  2. Outline Introduction Detection and Prevention Attack with Kali Linux sqlmap Manual SQLI Handling Example Conclusion My experience 2

  3. Introduction 3

  4. Introduction Hackers inject illegal query in original sql command to obtain sensitive data. 4

  5. Introduction Structured Query Language Injection(SQLI) 1. 2. SQLI tool example 3. Manual attack example 4. Prevention code example Detection and prevention 5

  6. Detection and Prevention 6

  7. Detection and Prevention 1. 2. Java Database Connectivity(JDBC) 3. Static Analysis Framework for discovering SQL Injection(SAFELI) 4. SQL DOM 5. Stored Procedure 6. Aho-Corasick Candidate evaluation for Discovering Intent Dynamically(CANDID) 7

  8. Detection and Prevention Candidate evaluation for Discovering Intent Dynamically(CANDID) Check front-end structure is match with back-end structure 8

  9. Detection and Prevention CANDID performance 9

  10. Detection and Prevention Java Database Connectivity(JDBC) Checking if type mismatches during the run time 10

  11. Detection and Prevention Static Analysis Framework for discovering SQL Injection(SAFELI) Analysis application with byte-code in compile time According to original thesis, this framework consists: 1. 2. Symbolic Execution Engine 3. Library of Attack Patterns 4. Constraint Solver 5. Test Case Generator Microsoft Intermediate Language(MSIL) Instrumentor 11

  12. Detection and Prevention SQL Domain Object Model(SQL DOM) Validate with strongly-typed to a database schema at compile time. Based on reference, SQL DOM work with these 2 fundamental parts 1. 2. SQL DOM generator Abstract object model 12

  13. Detection and Prevention Stored procedure. Executing procedure with paramters. 13

  14. Detection and Prevention Aho-Corasick in SQLI prevetion Using pattern matching algorithm 14

  15. Detection and Prevention 15

  16. Attack with Kali Linux sqlmap 16

  17. Attack with Kali Linux sqlmap Introduce sqlmap tool 1. 2. Having command in tool -> sqlmap -u test.php.vulweb.com/artists.php?artist=2 --dbs Show what the table schema is 3. Save or use the data obtained in previous step. Find target web with http get link, like /php?id = 17

  18. Manual SQLI 18

  19. Manual SQLI The website is vulnerable once it worked after pasting an apostrophe in the end of link. 19

  20. Manual SQLI http://testphp.vulnweb.com/artists.php?artist=- 2%20union%20select%201,2,group_concat(pass)%20from%20users 20

  21. Handling Example 21

  22. Handling Example Using stored procedure and dynamic query with parameters. 22

  23. Handling Example Using JDBC checker on Ubuntu Linux 23

  24. Conslusion 24

  25. Conclusion To prevent SQLI attacks, developer must implement proper SQLI detection and prevention mechanisms which are mentioned previously. Besides, security measures needs to be considered and implemented to protect our data and applications on the cloud in cyber space. 25

  26. My experience 26

  27. My experience 1. 2. Encrypt or hash sensitive information in database. 3. Limit the accessibility of browser. 4. Validate http get parameters before calling procedures. 5. Use verification code to verify if the request is legal. Access Data with procedures. 27

  28. END 28

Related


Python-Based Model for SQL Injection and Web Application Security

Python-Based Model for SQL Injection and Web Application Security

rebel
Security Breach: Detecting and Exploiting SQL Injection in Contact Groups

Security Breach: Detecting and Exploiting SQL Injection in Contact Groups

ciara
SQL Queries for Database Management

SQL Queries for Database Management

ambrosia
Database Design Process and Concepts

Database Design Process and Concepts

eithan
Introduction to SQL: Learn the Basics and Beyond

Introduction to SQL: Learn the Basics and Beyond

ford
Mastering SQL Server: Tips and Tricks for Efficient Database Exploration

Mastering SQL Server: Tips and Tricks for Efficient Database Exploration

boone
Introduction to Database Systems and SQL Programming

Introduction to Database Systems and SQL Programming

eithne
SQL: Major Aspects and Functionality in Database Applications

SQL: Major Aspects and Functionality in Database Applications

nojus
SQL Functions for Database Queries

SQL Functions for Database Queries

kira
Comprehensive Overview of SQL Commands and Language Categories

Comprehensive Overview of SQL Commands and Language Categories

orin
SQL Server Database Recovery Models and Backup Strategies

SQL Server Database Recovery Models and Backup Strategies

fabienbe
Efficient SQL Database Maintenance for Performance

Efficient SQL Database Maintenance for Performance

boc_spi
Turkish Statistical Institute SQL Fundamentals Overview

Turkish Statistical Institute SQL Fundamentals Overview

alm_sin
SQL Part II Lecture Summary: Nested Queries, Joins, and Updates for Database Applications

SQL Part II Lecture Summary: Nested Queries, Joins, and Updates for Database Applications

taul_du
Introduction to Tabular Data Modeling and SQL Concepts

Introduction to Tabular Data Modeling and SQL Concepts

kim_s
Database Basics for ASP.NET Development

Database Basics for ASP.NET Development

jat_gri
Common Injection Attacks in Windows and Linux Systems

Common Injection Attacks in Windows and Linux Systems

kael_157
SQL JOIN: A Comprehensive Guide

SQL JOIN: A Comprehensive Guide

anaell
The World of Azure Database Offerings

The World of Azure Database Offerings

kbeat
Insights into Beam Injection Dynamics for Ultra Low Emittance Rings

Insights into Beam Injection Dynamics for Ultra Low Emittance Rings

williard_t
Beam Lifetime and Injection Considerations at CEPC

Beam Lifetime and Injection Considerations at CEPC

mplat
SQL Database Security Best Practices

SQL Database Security Best Practices

lamb_tif

More Related Content