SQL Injection: How It Works, How to Stop It
3 likes394 views
The document outlines the nature and prevention of SQL injection attacks, explaining how they occur and the vulnerabilities they exploit in databases. It discusses various types of SQL injection, detection methods, and emphasizes prevention strategies such as using parameterized queries and proper input validation. Additionally, it provides resources for further information on SQL injection and cybersecurity.
SQL Injection: How It Works, How to Stop It
- 1. SQL Injection: How It Works, How To Stop It Grant Fritchey, Redgate Software
- 2. Goals Understand how SQL Injection attacks occur Identify the traces left behind by a SQL Injection attack Learn how to prevent SQL Injection
- 4. SQL Injection Data Breaches
- 5. Single Greatest Known Explanation of SQL Injection https://www.xkcd.com/327/
- 7. What is SQL Injection? SQL code added, injected, to the input of a form, application, or URL All SQL-based databases are vulnerable All operating systems are vulnerable Requires Improperly escaped input No parameterization of input Inappropriate or inadequate security on database
- 8. You can’t handle SQL Injection
- 9. SQL Injection Attack Types • Error-based SQL Injection • Union-based SQL Injection In-Band Injection Blind Injection Out of Band Injection
- 10. SQL Injection! What A Show, SQL Injection! Here We Go, We know you’re wishing that we’d go away…
- 11. How To Detect SQL Injection NOTE: Not all attacks can be detected Failed logins Incorrect syntax errors Invalid object errors UNION ALL errors Permissions errors Changes to the data structures
- 12. I love the smell of SQL Injection in the morning
- 13. How To Prevent SQL Injection Use parameterized stored procedures Use parameterized statements Validate all user input Implement proper error handling Least privilege principal
- 14. Qualifications? SQL Injection, murder, arson, SQL Injection You said SQL Injection twice I like SQL Injection
- 15. Additional Mitigation Techniques Use encryption Hash some values Segregate your data storage Enable database auditing Log errors and changes
- 16. Nobody expects SQL Injection!
- 17. Where To Get More Information • OWASP Top 10 – 2017 • SQL Injection Attacks: A cheat sheet for business pros • SQL Injection: Defense in Depth • SQL Injection: How it Works and How to Thwart it • Picking over the Bones of a SQL Injection Attack • How to Detect SQL Injection Attacks • National Cybersecurity and Communications Integration Center • SQLi Hall-of-Shame
- 18. Bobby Tables? I thought you were dead.
- 19. How To Prevent SQL Injection Use parameterized stored procedures Use parameterized statements Validate all user input Implement proper error handling Least privilege principal
- 20. Goals Understand how SQL Injection attacks occur Identify the traces left behind by a SQL Injection attack Learn how to prevent SQL Injection
- 22. Information Sources • https://www.theverge.com/2019/4/27/18518619/i-dress-up-virtual- website-ftc-data-breach • https://calgarysun.com/news/local-news/100-million-class-action- lawsuit-filed-in-calgary-over-marriott-hotels-data-breach • https://campustechnology.com/articles/2019/04/17/georgia-tech- breach-strikes-possible-1-3-million.aspx • https://www.thesslstore.com/blog/80-eye-opening-cyber-security- statistics-for-2019/ • https://thefintechtimes.com/security-scorecard-reveals/
- 23. Film frames used in parady (aka, fair use) • A Few Good Men • History of the World • Apocalypse Now • Blazing Saddles • Monty Python’s Flying Circus • Escape From New York