SlideShare a Scribd company logo

SQL Injection

Download as PPTX, PDF
Asish Kumar Rath, profile picture
Asish Kumar Rath

The document discusses SQL injection, a security exploit that allows attackers to manipulate and retrieve data from a web application's backend database through malformed SQL statements. It outlines various types of SQL injection techniques, including SQL manipulation, code injection, and buffer overflow, along with their operation methods. Additionally, it addresses countermeasures to prevent such attacks, emphasizing the importance of minimizing database privileges and implementing input validation and error handling.

Technology
1 of 22
Downloaded 53 times
1
2
3
4
Most read
5
Most read
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Most read
22
Asish Ku. Rath Sr. Software Developer
 Introduction  Types of SQL INJECTION  Steps for performing SQL INJECTION  How it Works  Countermeasures  Conclusion  References
SQL Injection
 SQL Injection is a type of Security Exploit in which the attacker injects SQL statements to gain access to restricted resources and make changes.  TARGET: Web Application with backend database  Uses client supplied SQL queries to get unauthorized access to database.
 SQL Manipulation  Code Injection  Function Call Injection  Buffer Over Flow
 It means to manipulate and retrieve data in a relational database.  SQL Manipulation comprises the SQL-Data change statements, which modify the stored data but not the schema or database objects.
 Code injection is the exploitation of computer application that is caused by processing invalid data.  It is always used malevolently which means it is always used in an evil way to destroy a database by exploiting the other codes.
 It is one of the most common type of injection technique where functions are used for injection.  When a function call a parameter then the attacker passes a different parameter to the function resulting something different than expected.
 It also one of the common technique used for injection at the users input side.  It is a mechanism of injection by input of data exceeding the limits of the fields of the user input resulting an error message using which the SQL codes are injected.
 Input field to submit data (e.g. a login page)
 Check for server pages if input field is absent e.g. http://www.xsecurity.com/index.jsp?id=10  In the above example attack will be like this: e.g. http://www.xsecurity.com/index.jsp?id=debu’ or 1=1 –  Look for errors: This can be done using single quotation mark (‘). E.g.
Using single quote in the input •sujit’ or 1=1 -- •login: shweta’ or 1=1 -- •http://search/index.asp?id=sql’ or 1=1 -- Depending on the error: • ‘ or 1=1 -- • “ or 1=1 -- •‘ or ‘a’ = ‘a • “ or “a” = “a •‘) or (‘a’ = ‘a)
SQL Injection
SQL Injection
SQL Injection
 Minimize the Privilege of Database Connection  Disable Verbose Error Message  Protect the system account “SA”  Audit Source Code: Escape Single Quotes Input Validation Reject Known Bad Input Input Bound Checking All user inputs should be filtered
SQLBlock
SQL Injection
SQL Injection
Now a days SQL injection is one of the biggest nightmare among Database administrators. Though we have a lot of way for its prevention but still today’s most website suffer from this attack.
 http://hack.er.org/sqlinjection  http://hackercentre.com/sqlinjectioncheetsh eet
22

More Related Content

PPTX
SQL Injection Introduction and Prevention
Mohammed Fazuluddin
 
PDF
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
PPTX
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
PPTX
Sql Injection attacks and prevention
helloanand
 
PPTX
Ppt on sql injection
ashish20012
 
PDF
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
PPTX
Sql injections - with example
Prateek Chauhan
 
PPT
Sql injection
Pallavi Biswas
 
SQL Injection Introduction and Prevention
Mohammed Fazuluddin
 
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
SQL Injections - A Powerpoint Presentation
Rapid Purple
 
Sql Injection attacks and prevention
helloanand
 
Ppt on sql injection
ashish20012
 
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Sql injections - with example
Prateek Chauhan
 
Sql injection
Pallavi Biswas
 

What's hot (20)

PPTX
Sql injection - security testing
Napendra Singh
 
PPT
Sql injection attack
RajKumar Rampelli
 
PPTX
Sql injection
Zidh
 
PPT
A Brief Introduction in SQL Injection
Sina Manavi
 
PPTX
SQL Injections (Part 1)
n|u - The Open Security Community
 
PPTX
SQL injection
Raj Parmar
 
PPTX
SQL INJECTION
Mentorcs
 
PPT
SQL Injection
Adhoura Academy
 
PPTX
Sql injection
Hemendra Kumar
 
PPTX
SQL injection prevention techniques
SongchaiDuangpan
 
PDF
How to identify and prevent SQL injection
Eguardian Global Services
 
PPT
Sql injection
Nikunj Dhameliya
 
PPTX
SQL Injection
Sayed Ahmad Naweed
 
PPTX
Sql injection in cybersecurity
Sanad Bhowmik
 
PPTX
Cross-Site Scripting (XSS)
Daniel Tumser
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
PPTX
SQL INJECTION
Anoop T
 
PPT
Cross site scripting (xss)
Manish Kumar
 
Sql injection - security testing
Napendra Singh
 
Sql injection attack
RajKumar Rampelli
 
Sql injection
Zidh
 
A Brief Introduction in SQL Injection
Sina Manavi
 
SQL Injections (Part 1)
n|u - The Open Security Community
 
SQL injection
Raj Parmar
 
SQL INJECTION
Mentorcs
 
SQL Injection
Adhoura Academy
 
Sql injection
Hemendra Kumar
 
SQL injection prevention techniques
SongchaiDuangpan
 
How to identify and prevent SQL injection
Eguardian Global Services
 
Sql injection
Nikunj Dhameliya
 
SQL Injection
Sayed Ahmad Naweed
 
Sql injection in cybersecurity
Sanad Bhowmik
 
Cross-Site Scripting (XSS)
Daniel Tumser
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
SQL INJECTION
Anoop T
 
Cross site scripting (xss)
Manish Kumar
 
Ad

Viewers also liked (20)

PDF
An Anatomy of a SQL Injection Attack
Imperva
 
PDF
Web Application Security 101 - 14 Data Validation
Websecurify
 
PDF
Cryptoghaphy
anita bodke
 
PDF
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
PDF
SQL Injection - The Unknown Story
Imperva
 
PPTX
Web Security: SQL Injection
Vortana Say
 
PPT
Advanced SQL Injection
amiable_indian
 
PPT
D:\Technical\Ppt\Sql Injection
avishkarm
 
PPTX
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
DOCX
Types of sql injection attacks
Respa Peter
 
PDF
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
PPT
Advanced Sql Injection ENG
Dmitry Evteev
 
PPS
PHP Security
manugoel2003
 
PDF
freeCodeCamp Tokyo meetup 19
健太 田上
 
PDF
Mgea 3-edicion-web1
Eduardo Rom
 
PPT
introaspnet-3030384.ppt
IQM123
 
PDF
February 2015 UK Commercial Bulletin
HML Ltd
 
PDF
China Social Media Recruiting & Talent Management Summit 2012 - opening r...
domthecalm
 
PPTX
GUIDE TO E-LEARNING DESIGN FOR NON-DESIGNERS
Chema Lozano Guillermo
 
PPTX
EN3604 Week 2: The West's Awake: Language and Location
Claire Lynch
 
An Anatomy of a SQL Injection Attack
Imperva
 
Web Application Security 101 - 14 Data Validation
Websecurify
 
Cryptoghaphy
anita bodke
 
Defcon 17-joseph mccray-adv-sql_injection
Ahmed AbdelSatar
 
SQL Injection - The Unknown Story
Imperva
 
Web Security: SQL Injection
Vortana Say
 
Advanced SQL Injection
amiable_indian
 
D:\Technical\Ppt\Sql Injection
avishkarm
 
SQL Injection in action with PHP and MySQL
Pradeep Kumar
 
Types of sql injection attacks
Respa Peter
 
SQL injection: Not only AND 1=1
Bernardo Damele A. G.
 
Advanced Sql Injection ENG
Dmitry Evteev
 
PHP Security
manugoel2003
 
freeCodeCamp Tokyo meetup 19
健太 田上
 
Mgea 3-edicion-web1
Eduardo Rom
 
introaspnet-3030384.ppt
IQM123
 
February 2015 UK Commercial Bulletin
HML Ltd
 
China Social Media Recruiting & Talent Management Summit 2012 - opening r...
domthecalm
 
GUIDE TO E-LEARNING DESIGN FOR NON-DESIGNERS
Chema Lozano Guillermo
 
EN3604 Week 2: The West's Awake: Language and Location
Claire Lynch
 
Ad

Similar to SQL Injection (20)

PPTX
Sql Injection
penetration Tester
 
PPTX
SQL injection implementation and prevention
Rejaul Islam Royel
 
PPTX
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
PPTX
Sql injection
Uzair ul Haq Khan
 
PPTX
Code injection
Gayatri Patel
 
PPT
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bankservicehyd
 
PDF
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET Journal
 
PPSX
Web application security
www.netgains.org
 
PPTX
Sql injection
Manjushree Mashal
 
PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
PDF
Sql injection bypassing hand book blackrose
Noaman Aziz
 
PPTX
Code injection and green sql
Kaustav Sengupta
 
PPTX
Greensql2007
Kaustav Sengupta
 
PPTX
Sql injection
The Avi Sharma
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
Sachin FromDev
 
PPTX
Sql injection
Mehul Boghra
 
PPTX
Sql injection
Nuruzzaman Milon
 
PDF
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
PDF
Sql injection
Safwan Hashmi
 
PPTX
Whatis SQL Injection.pptx
Simplilearn
 
Sql Injection
penetration Tester
 
SQL injection implementation and prevention
Rejaul Islam Royel
 
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
Sql injection
Uzair ul Haq Khan
 
Code injection
Gayatri Patel
 
SQL injection and buffer overflows are hacking techniques used to exploit wea...
bankservicehyd
 
IRJET- Detection of SQL Injection using Machine Learning : A Survey
IRJET Journal
 
Web application security
www.netgains.org
 
Sql injection
Manjushree Mashal
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
prasadGade6
 
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Code injection and green sql
Kaustav Sengupta
 
Greensql2007
Kaustav Sengupta
 
Sql injection
The Avi Sharma
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
Sachin FromDev
 
Sql injection
Mehul Boghra
 
Sql injection
Nuruzzaman Milon
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
Sql injection
Safwan Hashmi
 
Whatis SQL Injection.pptx
Simplilearn
 

Recently uploaded (20)

PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

SQL Injection

  • 1. Asish Ku. Rath Sr. Software Developer
  • 2.  Introduction  Types of SQL INJECTION  Steps for performing SQL INJECTION  How it Works  Countermeasures  Conclusion  References
  • 4.  SQL Injection is a type of Security Exploit in which the attacker injects SQL statements to gain access to restricted resources and make changes.  TARGET: Web Application with backend database  Uses client supplied SQL queries to get unauthorized access to database.
  • 5.  SQL Manipulation  Code Injection  Function Call Injection  Buffer Over Flow
  • 6.  It means to manipulate and retrieve data in a relational database.  SQL Manipulation comprises the SQL-Data change statements, which modify the stored data but not the schema or database objects.
  • 7.  Code injection is the exploitation of computer application that is caused by processing invalid data.  It is always used malevolently which means it is always used in an evil way to destroy a database by exploiting the other codes.
  • 8.  It is one of the most common type of injection technique where functions are used for injection.  When a function call a parameter then the attacker passes a different parameter to the function resulting something different than expected.
  • 9.  It also one of the common technique used for injection at the users input side.  It is a mechanism of injection by input of data exceeding the limits of the fields of the user input resulting an error message using which the SQL codes are injected.
  • 10.  Input field to submit data (e.g. a login page)
  • 11.  Check for server pages if input field is absent e.g. http://www.xsecurity.com/index.jsp?id=10  In the above example attack will be like this: e.g. http://www.xsecurity.com/index.jsp?id=debu’ or 1=1 –  Look for errors: This can be done using single quotation mark (‘). E.g.
  • 12. Using single quote in the input •sujit’ or 1=1 -- •login: shweta’ or 1=1 -- •http://search/index.asp?id=sql’ or 1=1 -- Depending on the error: • ‘ or 1=1 -- • “ or 1=1 -- •‘ or ‘a’ = ‘a • “ or “a” = “a •‘) or (‘a’ = ‘a)
  • 16.  Minimize the Privilege of Database Connection  Disable Verbose Error Message  Protect the system account “SA”  Audit Source Code: Escape Single Quotes Input Validation Reject Known Bad Input Input Bound Checking All user inputs should be filtered
  • 20. Now a days SQL injection is one of the biggest nightmare among Database administrators. Though we have a lot of way for its prevention but still today’s most website suffer from this attack.
  • 22. 22