What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka
•
5 j'aime•932 vues
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **) This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection. Below is the list of topics covered in this session: Web Application Security What is SQL Injection Attack? Types of SQL Injection attacks Demo – SQL Injection Attack Types Prevention of SQL Injection Attack Cyber Security Playlist: https://bit.ly/2N2jlNN Cyber Security Blog Series: https://bit.ly/2AuULkP Instagram: https://www.instagram.com/edureka_lea... Facebook: https://www.facebook.com/edurekaIN/ Twitter: https://twitter.com/edurekain LinkedIn: https://www.linkedin.com/company/edureka
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka
Similaire à What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka (20)
Plus de Edureka!
Plus de Edureka! (20)
Dernier
Dernier (20)
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybersecurity Training | Edureka
- 1. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
- 2. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Agenda What is Application Security? What is SQL Injection Attack? Types of SQL Injection Attacks Demo - SQL Injection Attack types Prevention of SQL Injection attack 01 02 03 04 05
- 3. Copyright © 2019, edureka and/or its affiliates. All rights reserved. Application Security
- 4. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Cybersecurity Application Security Network Security Information Security Operational Security Disaster Recovery End-user Education Cyber security refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.
- 5. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Web Application Vulnerabilities Application Security Application security is the use of software, hardware, and procedural methods to protect applications from external threats. 0% 10% 20% 30% 40% 50% 0.06% 0.19% 0.63% 1.69% 2.19% 2.19% 2.44% 2.75% 8.63% 9.69% 18.01% 4.57% 46.97% Denial of Service XML External Entity Open Direct General Bypass Authentication Bypass Remote File Inclusion Full Path Disclosure Remote Code Execution Local File Inclusion Cross Site Request Forgery File Upload SQL Injection Cross Site Scripting
- 6. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training
- 7. Copyright © 2019, edureka and/or its affiliates. All rights reserved. What is SQL Injection?
- 8. Front End: HTML, CSS, JavaScript The need for more advanced technology and dynamic websites grew. Database: MySQL, Oracle, MongoDB Back End: .NET, PHP, Ruby, Python In the early days of internet, building websites was pretty straightforward
- 9. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training What is SQL Injection? A SQL query is in one way an application interacts with database An SQL Injection occurs when an application fails to sanitize the user input data An attacker can use specially crafted SQL commands to control web application’s database server
- 10. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training SQL Injection Attack – Non Technical Explanation Drive through <route> and <where should the bus stop?> if <when should the bus stop?>. Sample populated form Drive through route77 and stop at the bus stop if there are people at the bus stop Drive through route77 and do not stop at the bus stop and ignore the rest of the from. if there are people at the bus stop
- 11. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training SQL Injection Attack – Technical Explanation Sample SQL statement $statement = “SELECT * FROM users WHERE username = ‘$user’ AND password = ‘$password‘“; $statement = “SELECT * FROM users WHERE username = ‘Dean’ AND password = ‘WinchesterS’“; Sample SQL Injection Condition that will always be true, thereby it is accepted as a valid input by the application Instructs the SQL parser that the rest of the line is a comment and should not be executed $statement = “SELECT * FROM users WHERE username = ‘Dean OR ‘1’=‘1’ --‘AND password = ‘WinchesterS’“;
- 12. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Impact of SQL Injection Attack Extract sensitive information Misusing authentication details Delete data and drop tables
- 13. Copyright © 2019, edureka and/or its affiliates. All rights reserved. Types of SQL Injection
- 14. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Categories of SQL Injection SQL Injection Error-based Union-based In-Band SQLi Blind SQLi Out-of-bound SQLi Boolean-based Time-based
- 15. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Error BasedError Based Types of SQL Injection Error-based SQL Injection Union-based SQL Injection Union Based Boolean Based Time Based Out-of-bound https://example.com/index.php?id=1 AND SELECT "mysql" UNION SELECT @@version https://example.com/index.php?id=1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',true,false) https://example.com/index.php?id=1+AND+IF(version()+LIKE+'5%',sleep(3),false)) Out-of-boundTime BasedUnion Based Boolean Based
- 16. Copyright © 2019, edureka and/or its affiliates. All rights reserved. Demo – Types of SQL Injection
- 17. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training Preventing SQL Injection Performing static and dynamic testing Using parameterized queries and ORMs Using escape characters in SQL queries Enforcing least privilege on database Enabling web-application firewalls
- 18. Copyright © 2019, edureka and/or its affiliates. All rights reserved. Exploiting SQL Vulnerability in Application
- 19. Cybersecurity Certification Training www.edureka.co/cybersecurity-certification-training