Database ThreatsInformation System Security

Presented by:

Abdul Majeed Al-Kattan

Rabee Al-Rass

Rahaf Aamer

Rimon Koroni

Sandra Sukarieh

The Content

• Sensitive Data Exposure.

• Security Misconfiguration.

• SQL Injection (Blind)

• Insecure Direct Object Reference

• Cross Site Scripting

• Denial of Service

Information System Security 2

Sensitive Data Exposure

Information System Security 3

Security Misconfiguration

Information System Security 4

SQL Injection

• Can be achieved when sending unreliable data to the interpreter as a part of a command or a query.

• Malicious data of the attacker can fool the interpreter to:

1. Execute banned orders.

2. Access data without authority .

3. Harm the content of the database.

Information System Security 5

SQL Injection

Information System Security 6

SQL Injection Prevention

• Escape String :

1. mysqli_real_escape_string()

2. Addslashes()

• Example:

x’ or ‘x’=‘x’ –

When mysqli_real_escape_string is applied

x\’ or \’x\’=\’x\’ --

Information System Security 7

Insecure Direct Object Reference

• The insecure gap of direct object reference comes up when the programmer expose the references to internal components such as files, folders, or database keys.

• Without access control tools and other methods of protection, the hacker can manipulate these references to reach the data without proper authority.

Information System Security 8

Insecure Direct Object Reference

Information System Security 9

Insecure Direct Object Reference Prevention

• Never expose application or database internal details to public.

• Hide system objects with ambiguous names and do encryption to values.

• Use sessions instead of cookies alone.

Information System Security 10

Cross Site Scripting

• Programming gaps appear across the site when the application receives non reliable data and sends it to the browser without checking or overcoming (escaping).

• Programming gaps across the site allow the attacker to implement “scripts” in the browser of the victim, which may lead to:

1. The theft of the user’s session.

2. Distortion of the website.

3. Redirect the user to other malicious sites.

Information System Security 11

Cross Site Scripting

Information System Security 12

Cross Site Scripting Prevention

• Contextual Encoding:

1. HTML Encoding.

2. JavaScript Encoding.

3. CSS Encoding.

Information System Security 13

Denial Of Service

• One of the methods used to inundate the special service of the database or the application with a stream of requests, leading to deprive the real users from the service.

• This attack can be achieved with the tool

slowhttptest.

Information System Security 14

Denial Of Service

Information System Security 15

Denial of Service Prevention

• Firewall.

• Cloud Mitigation Provider DDoS attack Detection and Monitoring.

• Flow-Based Monitoring (PLXfbm) .

• service monitors netflow on your router.

Information System Security 16

Thank You.