SlideShare a Scribd company logo

Sql injection

Download as PPTX, PDF
Z
Zidh

The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.

1 of 15
SQL INJECTION Types, Methodology, Attack Queries and Prevention Presented By Sidharth s Rajeev Titty Mareena George Guided By Dr. Juby Mathew
SQL Injection  Structured Query Language (SQL) is a text language that allows manipulating the data stored in the database through the commands such as INSERT, UPDATE and DELETE etc.  Code injection technique in which hacker manipulates the logic of SQL command to obtain access on the database and other sensitive information.  Most common vulnerability present on the network.
Consequences of SQL injection  Loss of Confidentiality  Loss Of authentication  Loss of authorization  Lack of Integrity
SQL Injection Threats S.no Threat Description 1 Identity Spoofing In this attack people are duped to believe that the respective mail or website is genuine while actually not. 2 Changing the price of original data In this attack hacker modifies the original data 3 Modifying the records resent in the database Attacker either detects the data from the database or completely replaces the existing data. 4 Gaining access over administrative privileges Once the hacker gets successful in gaining access on the system then to gain complete access on both the system and the network he seeks for the high privileges which are used by the administrative number. 5 Denial of Service Multiple bugs request are sent to the server which cannot be handle by the server as a result there is a temporary halt in the service and thus user is unable to access the system.
6 Gaining access over highly sensitive information Once the hacker gain access on the network, the attacker obtain access on the highly sensitive information such as credit card number and other monetary information. 7 Destroys the existing data present in the database After gaining the complete access over the system the attacker destroys the existing data completely resulting into huge loss. 8 Attacks machine’s performance The attacker halts all the important transactions which is performed by the system. 9 Modifies the existing data present in the record Once attacker obtains complete access over the system, he modifies the existing data resulting into huge losses
SQL Injection Attacks  Authentication Bypass  Leaking sensitive information  Loss of Data Integrity  Loss of availability of Data  Remote Code Execution
Types of SQL Injection
SQL Injection Step by Step
Steps involved are: 1. Information Gathering 2. SQL injection Vulnerability Detection  First attacker lists all the input fields, hidden fields and posts requests  Then attacker injects codes into the input field to generate an error  Attacker enter ('), (;), (––), AND and/or in input field, if it generates an error page then it means that the website is vulnerable towards the SQL injection. 3. Launch SQL injection attack 4. Extract the data 5. Interact with operating system 6. Compromise the system
SQL Injection Queries  SQL Injection Query • This query is always true.
 Query for Updating Table  Query for Adding New Records
 Query for Identifying Table Name  Query for Deleting the Table
Sql injection
SQL Injection Tools
Preventing SQL Injection Attacks  Minimizing the Privileges  Implementation of Consistent Coding Standards  SQL Server Firewalling

More Related Content

Sql injection

  • 1. SQL INJECTION Types, Methodology, Attack Queries and Prevention Presented By Sidharth s Rajeev Titty Mareena George Guided By Dr. Juby Mathew
  • 2. SQL Injection  Structured Query Language (SQL) is a text language that allows manipulating the data stored in the database through the commands such as INSERT, UPDATE and DELETE etc.  Code injection technique in which hacker manipulates the logic of SQL command to obtain access on the database and other sensitive information.  Most common vulnerability present on the network.
  • 3. Consequences of SQL injection  Loss of Confidentiality  Loss Of authentication  Loss of authorization  Lack of Integrity
  • 4. SQL Injection Threats S.no Threat Description 1 Identity Spoofing In this attack people are duped to believe that the respective mail or website is genuine while actually not. 2 Changing the price of original data In this attack hacker modifies the original data 3 Modifying the records resent in the database Attacker either detects the data from the database or completely replaces the existing data. 4 Gaining access over administrative privileges Once the hacker gets successful in gaining access on the system then to gain complete access on both the system and the network he seeks for the high privileges which are used by the administrative number. 5 Denial of Service Multiple bugs request are sent to the server which cannot be handle by the server as a result there is a temporary halt in the service and thus user is unable to access the system.
  • 5. 6 Gaining access over highly sensitive information Once the hacker gain access on the network, the attacker obtain access on the highly sensitive information such as credit card number and other monetary information. 7 Destroys the existing data present in the database After gaining the complete access over the system the attacker destroys the existing data completely resulting into huge loss. 8 Attacks machine’s performance The attacker halts all the important transactions which is performed by the system. 9 Modifies the existing data present in the record Once attacker obtains complete access over the system, he modifies the existing data resulting into huge losses
  • 6. SQL Injection Attacks  Authentication Bypass  Leaking sensitive information  Loss of Data Integrity  Loss of availability of Data  Remote Code Execution
  • 7. Types of SQL Injection
  • 9. Steps involved are: 1. Information Gathering 2. SQL injection Vulnerability Detection  First attacker lists all the input fields, hidden fields and posts requests  Then attacker injects codes into the input field to generate an error  Attacker enter ('), (;), (––), AND and/or in input field, if it generates an error page then it means that the website is vulnerable towards the SQL injection. 3. Launch SQL injection attack 4. Extract the data 5. Interact with operating system 6. Compromise the system
  • 10. SQL Injection Queries  SQL Injection Query • This query is always true.
  • 11.  Query for Updating Table  Query for Adding New Records
  • 12.  Query for Identifying Table Name  Query for Deleting the Table
  • 15. Preventing SQL Injection Attacks  Minimizing the Privileges  Implementation of Consistent Coding Standards  SQL Server Firewalling