Date post: | 07-Aug-2015 |
Category: |
Internet |
Upload: | syed-ahamad |
View: | 37 times |
Download: | 3 times |
Web Application Security
Presented by:
Md Syed Ahamad
Detection and Prevention of SQL Injection
1
Project under:
Dr. Ferdous Ahmed
Topics
Introduction
Webgoat and WebScarab
Prevention Mechanism and Detection Mechanism
Methods
Visual
Advantage and disadvantage
Conclusion
CS200Detection and Prevention of SQL Injection
3
Introduction
Thread Agent – Application Specific
Attack Vector
Exploitability – Easy
Security Weakness
Prevalence – Common
Detectability – Average
Technical impacts – severe
Business impacts – Business Specific
CS200Detection and Prevention of SQL Injection
4
WebGoat and WebScarab
WebGoat – Web based application for demonstration of common Web
App. Flaws.
Application penetration testing techniques
WebScarab – use as proxy in the localhost for WebGoat.
Shows Request and Response intercept
Parameters can be modified
CS200Detection and Prevention of SQL Injection
5
SQL Injection
Serious thread
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
Select * from account where username=‘”+a+”’ and PIN=‘”+b+”’;
Here, a=998’or’1’=‘1, b may be empty or anything.
CS200Detection and Prevention of SQL Injection
7
Prevention Mechanism
Parametrized Query
Specific primitive data type
CS200Detection and Prevention of SQL Injection
8
Prevention Mechanism
Indirect SQL Query
Avoid Direct SQL Query
Some tuple similar to the input is taken out and match
If match is found go ahead otherwise return false
CS200Detection and Prevention of SQL Injection
9
Detection Mechanism
Methods
Regular Expression – /\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix
@"(;|\s)(exec|execute|select|insert|update|delete|create|alter|drop|rename|truncate
|backup|restore)\s"
Parametrized
Visual
Advantage and disadvantage
CS200Detection and Prevention of SQL Injection
10