Scribd Logo
Upload

Welcome to Scribd!

  • A Study On Detecton and Prevention of SQL Injection

    Uploaded by

    a k
    21 views21 pages

    Original Title

    SEJAL TAWADE MAIN

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views21 pages

    A Study On Detecton and Prevention of SQL Injection

    Uploaded by

    a k

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    A STUDY ON DETECTON AND PREVENTION

    OF SQL INJECTION

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 1


    Introduction
    • Structured Query Language (SQL) is a text language that allows
    manipulating the data stored in the database through the commands
    such as INSERT, UPDATE and DELETE etc.
    • Code injection technique in which hacker manipulates the logic of
    SQL command to obtain access on the database and other sensitive
    information.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16.


    2
    Problem Statement
    • SQL injection attack belongs to one of the means of study of
    database security attack.
    • SQL injection attacks allow attackers to spoof identitiy,change
    existing data,cause repudiation issues such as destroy data or make
    it otherwise unavailable and become administrators of the database
    server.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16.


    2
    Motivation
    • Determining Database Schema
    • Extracting Data
    • Identifying SQL Injection vulnerability

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16.


    2
    SQL INJECTION
    The ability to inject SQL commands into the database engine through
    an existing application.

    Types of SQL Injection attack


    • Tautologies
    • Illegal/Logically Incorrect Queries

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 5


    Tautologies
    • Inject code in one or more conditional statement so that they
    always evalute to true
    • Example
    SELECT name FROM user_details WHERE username = ‘abc’ and
    password = or1 = 1.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 6


    Illegal/Logically Incorrect Queries
    • Inject statement that cause a syntax,type conversion,or logical error
    into database.
    •Example
    SELECT accounts FROM users WHERE login = “AND pass=”
    A ND pin=convert(int,(select name from sysobjects where
    xtype = ‘u’))

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 7


    Prevention Of SQLIAs
    • The root cause of SQL injection vulnerabilities is insufficient input
    validation
    • Solution:
    -Defensive coding practices
    -Detection & Prevention techniques

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 8


    Defensive coding practices
    • Input type checking
    • Encoding of inputs
    • Positive pattern matching
    • Identification of all input sources

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 9


    Detection & Prevention Techniques
    AMNESIA

    • Analysis and Monitoring for Neutralizing SQL Injection Attack

    • Uses a combination of static analysis and runtime monitoring.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 10


    SQLRand

    • Extends the application of Instruction-set Randomization to the


    SQL:appending a random integers to SQL standard keyword.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 11


    Web Application SQL Injection Preventer(WASP)

    • Allow only developer-trusted strings to form parts of a query

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 12


    Algorithm:Static Pattern Matching Algorithm
    1. Procedure SPMA(Query,SPL[])

    INPUT:QUERY<-user Generated Query

    SPL<-Static Pattern with an Anomaly

    Pattern

    2. For j=1 to m do

    3. If(AC(Query,StringLength(Query),SPL[J][0]==∅)

    Then

    4. Anomalyscore = Matchingvalue(Query,SPL[J] *100

    StringLength(SPL[J])

    5. If(Anomalyscore >==Thresholdvalue)

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 13


    6. Then

    7. Return Alarm->Administrator

    8. Else

    9. Return Query->Accepted

    10. End If

    11. Else

    12. Return Query->Rejected

    13. End for

    End Procedure

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 14


    Architecture used for Detecting SQLIA

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 15


    Defence Against SQL Injection
    • Comprehensive data sanitization
    • Limit database priviliges by context.
    • Avoid constructing SQL queries with user input

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 16


    Advantages
    • SQL allows you to select and output data from database.
    •It take advantage of security vulnerabilities in website and
    application.
    •SQL also allow yot to alter data in database and add new data.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 17


    Applications
    • Attacker can use SQL injection vulnerabilities to bypass application
    security measures.
    • They can go around authntication and authorization of web
    application to retrieve content of database.
    • They can also use SQL injection to add,modify,and delete records in
    database

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 18


    Conclusion
    • SQL injection is technique for utlizing applications that use
    ralational database as their back end.
    • Application compose SQL statements and send to database.
    • All the database can be target of SQL injection and all are
    vulnerable to this technique.

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 19


    References
     
    1.Mohd Amin Bin,Mohd Yunus,Nazri Mohd Nawi,”Review of SQL
    Injection : Problems and Prevention”, VOL 2 (2018) NO 3 – 2.
    2.Limei Ma,Yijun Gao,Dongmei Zhao,Chen Zhao,” Research on SQL
    Injection Attack and Prevention Technology Based On Web”, 2019
    International Conference on Computer Network, Electronic and
    Automation (ICCNEA).

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 13


    Thank You!

    Guided By Presented By
    Prof. N.P.Bunge Anjali Kumkar
    SCOE, Pune (305B033 )

    05/28/21 SINHGAD COLLEGE OF ENGINEERING, DEPARTMENT OF COMP. ENGINEERING, STCL 2015-16. 14

    You might also like