Scribd
Upload
111 views22 pages

SQL Injection

This document discusses SQL injection, which is a type of security exploit where an attacker injects SQL statements into an application to gain unauthorized access to a database. It describes different types of SQL injection like SQL manipulation, code injection, and buffer overflow. It provides steps to perform SQL injection and ways it works. Countermeasures like input validation, output encoding, and least privilege are recommended to prevent SQL injection attacks.

Uploaded by

Nabeel Muhammed N
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
111 views22 pages

SQL Injection

This document discusses SQL injection, which is a type of security exploit where an attacker injects SQL statements into an application to gain unauthorized access to a database. It describes different types of SQL injection like SQL manipulation, code injection, and buffer overflow. It provides steps to perform SQL injection and ways it works. Countermeasures like input validation, output encoding, and least privilege are recommended to prevent SQL injection attacks.

Uploaded by

Nabeel Muhammed N
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

INJECTION

NABEEL MUHAMMED N
NO:35

AKNMGPTC THIRURANGADI CT BATCH 2014-17


CONTENTS

 Introduction
 Types of SQL INJECTION
 Steps for performing SQL INJECTION
 How it Works
 Countermeasures
 Conclusion
 References
 SQL Injection is a type of Security Exploit in
which the attacker injects SQL statements to
gain access to restricted resources and make
changes.

 TARGET: Web Application with backend


database

 Uses client supplied SQL queries to get


unauthorized access to database.
SQL Injection types:

 SQL Manipulation

 Code Injection

 Function Call Injection

 Buffer Over Flow


SQL MANIPULATION:

 It means to manipulate and retrieve data in a relational


database.
 SQL Manipulation comprises the SQL-Data change
statements, which modify the stored data but not the schema
or database objects.
CODE INJECTION:

 Code injection is the exploitation of computer application


that is caused by processing invalid data.
 It is always used malevolently which means it is always used in
an evil way to destroy a database by exploiting the other
codes.
FUNCTION CALL INJECTION:

 It is one of the most common type of injection technique


where functions are used for injection.
 When a function call a parameter then the attacker passes a
different parameter to the function resulting something
different than expected.
BUFFER OVERFLOW:

 It also one of the common technique used for injection at the


users input side.
 It is a mechanism of injection by input of data exceeding the
limits of the fields of the user input resulting an error message
using which the SQL codes are injected.
SQL Injection Steps:
 Input field to submit data
(e.g. a login page)
SQL Injection Steps
(contd..)
 Check for server pages if input field is absent
e.g. http://www.xsecurity.com/index.jsp?id=10

 In the above example attack will be like this:


e.g.
http://www.xsecurity.com/index.jsp?id=debu’ or
1=1 –

 Look for errors: This can be done using single


quotation mark (‘). E.g.
Test for Vulnerability:
Using single quote in the input

•sujit’ or 1=1 --
•login: shweta’ or 1=1 --
•http://search/index.asp?id=sql’ or 1=1 --

Depending on the error:

• ‘ or 1=1 --
• “ or 1=1 --
•‘ or ‘a’ = ‘a
• “ or “a” = “a
•‘) or (‘a’ = ‘a)
How It Works:
Examples: BadLogin.aspx.cs
 Minimize the Privilege of Database Connection
 Disable Verbose Error Message
 Protect the system account “SA”

 Audit Source Code:


 Escape Single Quotes
 Input Validation
 Reject Known Bad Input
 Input Bound Checking
 All user inputs should be filtered
SQL Injection Detection and Blocking Tools

SQLBlock
Screen Shots
Conclusion:

Now a days SQL injection is one of the biggest nightmare


among Database administrators. Though we have a lot of way
for its prevention but still today’s most website suffer from this
attack.
References

 http://hack.er.org/sqlinjection
 http://hackercentre.com/sqlinjectioncheetsheet
22

You might also like