SlideShare une entreprise Scribd logo

SQLSecurity.ppt

Télécharger en tant que PPT, PDF
L
LokeshK66

SQL Security

Formation
1  sur  26
+ Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security  At 9:10, you’ll have 15 minutes to do on- line student ratings Office hours today: 10:30-12:30 Offce hours next week: M/W/F 10:30-12:30
+ Security: Access Control, SQL Injection Attacks Based upon slides from: classes.soe.ucsc.edu/.../SQL%20Injection%20Attacks.ppt homes.cs.washington.edu/~suciu/current-trends.ppt www.cse.iitb.ac.in/dbms/Data/.../DBSecurity-Overview.ppt
+ Data Security Protection from malicious attempts to steal (view) or modify data. The science and study of methods of protecting data (...) from unauthorized disclosure and modification Data Security = Confidentiality + Integrity
+ 4 Traditional Data Security Security in statistical databases = Theory  http://en.wikipedia.org/wiki/Statistical_database  In a statistical database, it is often desired to allow query access only to aggregate data, not individual records. Securing such a database is a difficult problem, since intelligent users can use a combination of aggregate queries to derive information about a single individual. Security in SQL = Access control + Views
+ 5 Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT | DELETE | . . . object = table | attribute REVOKE privileges ON object FROM users [CASCADE ] [Griffith&Wade'76, Fagin'78]
+ Access Control in MySQL  http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html  The primary function of the MySQL privilege system is to authenticate a user who connects from a given host and to associate that user with privileges on a database such as SELECT, INSERT, UPDATE, and DELETE  There are some things that you cannot do with the MySQL privilege system:  You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.  You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.  A password applies globally to an account. You cannot associate a password with a specific object such as a database, table, or routine.
+ 7 Views in SQL A SQL View = (almost) any SQL query  Typically used as: GRANT SELECT ON pmpStudents TO DavidRispoli CREATE VIEW pmpStudents AS SELECT * FROM Students WHERE…
+ Views in MySQL  http://dev.mysql.com/doc/refman/5.0/en/create-view.html  CREATE [OR REPLACE] [ALGORITHM = {UNDEFINED | MERGE | TEMPTABLE}] [DEFINER = { user | CURRENT_USER }] [SQL SECURITY { DEFINER | INVOKER }] VIEW view_name [(column_list)] AS select_statement [WITH [CASCADED | LOCAL] CHECK OPTION]  The DEFINER and SQL SECURITY clauses determine which MySQL account to use when checking access privileges for the view when a statement is executed that references the view.
+ 9 Summary of SQL Security Limitations:  Often no row level access control  Note: DB specific – fine-grained access control is an active area of improvement  Table creator owns the data (not always fair) … or spectacular failure:  Only ~30% assign privileges to users/roles  And then to protect entire tables, not columns Access control = great success story of the DB community...
+ MySQL security  http://dev.mysql.com/doc/refman/5.0/en/security.html Many aspects:  General factors that affect security. These include choosing good passwords, not granting unnecessary privileges to users, ensuring application security by preventing SQL injections and data corruption, and others. See Section 6.1, “General Security Issues”.  Security of the installation itself. The data files, log files, and the all the application files of your installation should be protected to ensure that they are not readable or writable by unauthorized parties. For more information, see Section 2.18, “Postinstallation Setup and Testing”.
+ MySQL security  Access control and security within the database system itself, including the users and databases granted with access to the databases, views and stored programs in use within the database. For more information, see Section 6.2, “The MySQL Access Privilege System”, and Section 6.3, “MySQL User Account Management”.  Network security of MySQL and your system. The security is related to the grants for individual users, but you may also wish to restrict MySQL so that it is available only locally on the MySQL server host, or to a limited set of other hosts.  Ensure that you have adequate and appropriate backups of your database files, configuration and log files. Also be sure that you have a recovery solution in place and test that you are able to successfully recover the information from your backups. See Chapter 7, Backup and Recovery.
+ SQL Injection Attacks
+ http://www.circleid.com/posts/20130325_sql_injection_in _the_wild/
+ What is a SQL Injection Attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example:  SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input
+ SQL Injection Attacks on the rise  https://www.net-security.org/secworld.php?id=13313  “Many, many sites have lost customer data in this way,” said Chris Hinkley, Senior Security Engineer at FireHost. “SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.”
+ 2012 News of SQL attacks  http://www.mysqlperformanceblog.com/2012/07/18/sql-injection-still-a- problem/  An SQL injection vulnerability resulted in an urgent June bugfix release of Ruby on Rails 3.x.  Yahoo! Voices was hacked in July. The attack acquired 453,000 user email addresses and passwords. The perpetrators claimed to have used union-based SQL injection to break in.  LinkedIn.com leaked 6.5 million user credentials in June. A class action lawsuit alleges that the attack was accomplished with SQL injection.  SQL injection was documented as a security threat in 1998, but new incidents still occur every month. Making honest mistakes, developers fail to defend against this means of attack, and the security of online data is at risk for all of us because of it.
+ Some good sites to learn more Prevention guide (with sample code in many languages): http://bobby-tables.com/ Tutorials: (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and- fallacies http://www.netrostar.com/SQL-Injection-Attack http://www.unixwiz.net/techtips/sql-injection.html Cool site that let’s you try out attacks on a sample DB and explains why they work http://sqlzoo.net/hack/ Research paper on how to retrofit existing websites to combat SQL injection attacks http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf
+ An Example SQL Injection Attack Product Search:  This input is put directly into the SQL statement within the Web application:  $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”;  Creates the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’  Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x
+ A More Malicious Example  What if the attacker had instead entered:  blah‘; DROP TABLE prodinfo; --  Results in the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’  Note how comment (--) consumes the final quote  Causes the entire database to be deleted  Depends on knowledge of table name  This is sometimes exposed to the user in debug code called during a database error  Use non-obvious table names, and never expose them to user  Usually data destruction is not your worst fear, as there is low economic motivation
+ Other injection possibilities Using SQL injections, attackers can:  Add new data to the database  Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site  Perform an INSERT in the injected SQL  Modify data currently in the database  Could be very costly to have an expensive item suddenly be deeply ‘discounted’  Perform an UPDATE in the injected SQL  Often can gain access to other user’s system capabilities by obtaining their password
+ Best defence If possible, use bound variables with prepared statements  Many libraries allow you to bind inputs to variables inside a SQL statement  PERL example (from http://www.unixwiz.net/techtips/sql-injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); See http://bobby-tables.com for example code in many languages
+ How does this prevent an attack?  The SQL statement you pass to prepare is parsed and compiled by the database server.  By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.  Then when you call execute the prepared statement is combined with the parameter values you specify.  It works because the parameter values are combined with the compiled statement, not a SQL string.  SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend.
+ Other Defenses Use provided functions for escaping strings  Many attacks can be thwarted by simply using the SQL string escaping mechanism  ‘  ’ and “  ”  mysql_real_escape_string() is the preferred function for this Will not guard against all attacks  Consider:  SELECT fields FROM table WHERE id = 23 OR 1=1  No quotes here!
+ More Defenses Check syntax of input for validity  Many classes of input have fixed languages  Email addresses, dates, part numbers, etc.  Verify that the input is a valid string in the language  Some languages allow problematic characters (e.g., ‘*’ in email); may decide to not allow these  Exclude quotes and semicolons  Not always possible: consider the name Bill O’Reilly  Want to allow the use of single quotes in names Have length limits on input  Many SQL injection attacks depend on entering long strings
+ Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements  INSERT, DROP, etc.  If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users  If you’re only reading the database, connect to database as a user that only has read permissions  Never connect as a database administrator in your web application
+ And Yet More Defenses  Configure database error reporting  Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.)  Configure so that this information is never exposed to a user

Recommandé

Sql security
Sql securitySql security
Sql securitySafwan Hashmi
 
Greensql2007
Greensql2007Greensql2007
Greensql2007Kaustav Sengupta
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdfFumikageTokoyami4
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Securityijsrd.com
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 

Recommandé

Sql security
Sql securitySql security
Sql securitySafwan Hashmi
 
Greensql2007
Greensql2007Greensql2007
Greensql2007Kaustav Sengupta
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdfFumikageTokoyami4
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Securityijsrd.com
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586Stacy Watts
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - NewsletterSmitha Padmanabhan
 
Database security issues
Database security issuesDatabase security issues
Database security issuesn|u - The Open Security Community
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Web Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWeb Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWebsecurify
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Database security
Database securityDatabase security
Database securityCAS
 
Data Base
Data BaseData Base
Data BaseSusan Tullis
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
Day2
Day2Day2
Day2madamewoolf
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Iot application in smart cities .pptx
Iot application in smart cities .pptxIot application in smart cities .pptx
Iot application in smart cities .pptxLokeshK66
 
building mat.pptx
building mat.pptxbuilding mat.pptx
building mat.pptxLokeshK66
 

Contenu connexe

Similaire à SQLSecurity.ppt

Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting startedNamgu Jeong
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Web Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWeb Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWebsecurify
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Database security
Database securityDatabase security
Database securityCAS
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseNoaman Aziz
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 

Similaire à SQLSecurity.ppt (20)

SQL Injection - Newsletter
SQL Injection - NewsletterSQL Injection - Newsletter
SQL Injection - Newsletter
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
Dr3150012012202 1.getting started
Dr3150012012202 1.getting startedDr3150012012202 1.getting started
Dr3150012012202 1.getting started
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield Liferay
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Web Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data ValidationWeb Application Security 101 - 14 Data Validation
Web Application Security 101 - 14 Data Validation
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReport
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
Database security
Database securityDatabase security
Database security
 
Data Base
Data BaseData Base
Data Base
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
Day2
Day2Day2
Day2
 
Website Security
Website SecurityWebsite Security
Website Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 

Plus de LokeshK66

Iot application in smart cities .pptx
Iot application in smart cities .pptxIot application in smart cities .pptx
Iot application in smart cities .pptxLokeshK66
 
building mat.pptx
building mat.pptxbuilding mat.pptx
building mat.pptxLokeshK66
 
9781423902096_PPT_ch07.ppt
9781423902096_PPT_ch07.ppt9781423902096_PPT_ch07.ppt
9781423902096_PPT_ch07.pptLokeshK66
 
9781423902096_PPT_ch08.ppt
9781423902096_PPT_ch08.ppt9781423902096_PPT_ch08.ppt
9781423902096_PPT_ch08.pptLokeshK66
 
9781423902096_PPT_ch09.ppt
9781423902096_PPT_ch09.ppt9781423902096_PPT_ch09.ppt
9781423902096_PPT_ch09.pptLokeshK66
 
ch4_additional.ppt
ch4_additional.pptch4_additional.ppt
ch4_additional.pptLokeshK66
 
ch5_additional.ppt
ch5_additional.pptch5_additional.ppt
ch5_additional.pptLokeshK66
 
ch6_additional.ppt
ch6_additional.pptch6_additional.ppt
ch6_additional.pptLokeshK66
 
ch9_additional.ppt
ch9_additional.pptch9_additional.ppt
ch9_additional.pptLokeshK66
 

Plus de LokeshK66 (9)

Iot application in smart cities .pptx
Iot application in smart cities .pptxIot application in smart cities .pptx
Iot application in smart cities .pptx
 
building mat.pptx
building mat.pptxbuilding mat.pptx
building mat.pptx
 
9781423902096_PPT_ch07.ppt
9781423902096_PPT_ch07.ppt9781423902096_PPT_ch07.ppt
9781423902096_PPT_ch07.ppt
 
9781423902096_PPT_ch08.ppt
9781423902096_PPT_ch08.ppt9781423902096_PPT_ch08.ppt
9781423902096_PPT_ch08.ppt
 
9781423902096_PPT_ch09.ppt
9781423902096_PPT_ch09.ppt9781423902096_PPT_ch09.ppt
9781423902096_PPT_ch09.ppt
 
ch4_additional.ppt
ch4_additional.pptch4_additional.ppt
ch4_additional.ppt
 
ch5_additional.ppt
ch5_additional.pptch5_additional.ppt
ch5_additional.ppt
 
ch6_additional.ppt
ch6_additional.pptch6_additional.ppt
ch6_additional.ppt
 
ch9_additional.ppt
ch9_additional.pptch9_additional.ppt
ch9_additional.ppt
 

Dernier

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 

Dernier (20)

Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 

SQLSecurity.ppt

  • 1. + Housekeeping Project/assignment 6/quiz 6 questions? Quiz 6: Query optimization, database security  At 9:10, you’ll have 15 minutes to do on- line student ratings Office hours today: 10:30-12:30 Offce hours next week: M/W/F 10:30-12:30
  • 2. + Security: Access Control, SQL Injection Attacks Based upon slides from: classes.soe.ucsc.edu/.../SQL%20Injection%20Attacks.ppt homes.cs.washington.edu/~suciu/current-trends.ppt www.cse.iitb.ac.in/dbms/Data/.../DBSecurity-Overview.ppt
  • 3. + Data Security Protection from malicious attempts to steal (view) or modify data. The science and study of methods of protecting data (...) from unauthorized disclosure and modification Data Security = Confidentiality + Integrity
  • 4. + 4 Traditional Data Security Security in statistical databases = Theory  http://en.wikipedia.org/wiki/Statistical_database  In a statistical database, it is often desired to allow query access only to aggregate data, not individual records. Securing such a database is a difficult problem, since intelligent users can use a combination of aggregate queries to derive information about a single individual. Security in SQL = Access control + Views
  • 5. + 5 Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT | DELETE | . . . object = table | attribute REVOKE privileges ON object FROM users [CASCADE ] [Griffith&Wade'76, Fagin'78]
  • 6. + Access Control in MySQL  http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html  The primary function of the MySQL privilege system is to authenticate a user who connects from a given host and to associate that user with privileges on a database such as SELECT, INSERT, UPDATE, and DELETE  There are some things that you cannot do with the MySQL privilege system:  You cannot explicitly specify that a given user should be denied access. That is, you cannot explicitly match a user and then refuse the connection.  You cannot specify that a user has privileges to create or drop tables in a database but not to create or drop the database itself.  A password applies globally to an account. You cannot associate a password with a specific object such as a database, table, or routine.
  • 7. + 7 Views in SQL A SQL View = (almost) any SQL query  Typically used as: GRANT SELECT ON pmpStudents TO DavidRispoli CREATE VIEW pmpStudents AS SELECT * FROM Students WHERE…
  • 8. + Views in MySQL  http://dev.mysql.com/doc/refman/5.0/en/create-view.html  CREATE [OR REPLACE] [ALGORITHM = {UNDEFINED | MERGE | TEMPTABLE}] [DEFINER = { user | CURRENT_USER }] [SQL SECURITY { DEFINER | INVOKER }] VIEW view_name [(column_list)] AS select_statement [WITH [CASCADED | LOCAL] CHECK OPTION]  The DEFINER and SQL SECURITY clauses determine which MySQL account to use when checking access privileges for the view when a statement is executed that references the view.
  • 9. + 9 Summary of SQL Security Limitations:  Often no row level access control  Note: DB specific – fine-grained access control is an active area of improvement  Table creator owns the data (not always fair) … or spectacular failure:  Only ~30% assign privileges to users/roles  And then to protect entire tables, not columns Access control = great success story of the DB community...
  • 10. + MySQL security  http://dev.mysql.com/doc/refman/5.0/en/security.html Many aspects:  General factors that affect security. These include choosing good passwords, not granting unnecessary privileges to users, ensuring application security by preventing SQL injections and data corruption, and others. See Section 6.1, “General Security Issues”.  Security of the installation itself. The data files, log files, and the all the application files of your installation should be protected to ensure that they are not readable or writable by unauthorized parties. For more information, see Section 2.18, “Postinstallation Setup and Testing”.
  • 11. + MySQL security  Access control and security within the database system itself, including the users and databases granted with access to the databases, views and stored programs in use within the database. For more information, see Section 6.2, “The MySQL Access Privilege System”, and Section 6.3, “MySQL User Account Management”.  Network security of MySQL and your system. The security is related to the grants for individual users, but you may also wish to restrict MySQL so that it is available only locally on the MySQL server host, or to a limited set of other hosts.  Ensure that you have adequate and appropriate backups of your database files, configuration and log files. Also be sure that you have a recovery solution in place and test that you are able to successfully recover the information from your backups. See Chapter 7, Backup and Recovery.
  • 14. + What is a SQL Injection Attack? Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example:  SELECT productdata FROM table WHERE productname = ‘user input product name’; A SQL injection attack involves placing SQL statements in the user input
  • 15. + SQL Injection Attacks on the rise  https://www.net-security.org/secworld.php?id=13313  “Many, many sites have lost customer data in this way,” said Chris Hinkley, Senior Security Engineer at FireHost. “SQL Injection attacks are often automated and many website owners may be blissfully unaware that their data could actively be at risk. These attacks can be detected and businesses should be taking basic and blanket steps to block attempted SQL Injection, as well as the other types of attacks we frequently see.”
  • 16. + 2012 News of SQL attacks  http://www.mysqlperformanceblog.com/2012/07/18/sql-injection-still-a- problem/  An SQL injection vulnerability resulted in an urgent June bugfix release of Ruby on Rails 3.x.  Yahoo! Voices was hacked in July. The attack acquired 453,000 user email addresses and passwords. The perpetrators claimed to have used union-based SQL injection to break in.  LinkedIn.com leaked 6.5 million user credentials in June. A class action lawsuit alleges that the attack was accomplished with SQL injection.  SQL injection was documented as a security threat in 1998, but new incidents still occur every month. Making honest mistakes, developers fail to defend against this means of attack, and the security of online data is at risk for all of us because of it.
  • 17. + Some good sites to learn more Prevention guide (with sample code in many languages): http://bobby-tables.com/ Tutorials: (webinar) http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and- fallacies http://www.netrostar.com/SQL-Injection-Attack http://www.unixwiz.net/techtips/sql-injection.html Cool site that let’s you try out attacks on a sample DB and explains why they work http://sqlzoo.net/hack/ Research paper on how to retrofit existing websites to combat SQL injection attacks http://lersse-dl.ece.ubc.ca/record/205/files/paper.pdf
  • 18. + An Example SQL Injection Attack Product Search:  This input is put directly into the SQL statement within the Web application:  $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”;  Creates the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’  Attacker has now successfully caused the entire database to be returned. blah‘ OR ‘x’ = ‘x
  • 19. + A More Malicious Example  What if the attacker had instead entered:  blah‘; DROP TABLE prodinfo; --  Results in the following SQL:  SELECT prodinfo FROM prodtable WHERE prodname = ‘blah’; DROP TABLE prodinfo; --’  Note how comment (--) consumes the final quote  Causes the entire database to be deleted  Depends on knowledge of table name  This is sometimes exposed to the user in debug code called during a database error  Use non-obvious table names, and never expose them to user  Usually data destruction is not your worst fear, as there is low economic motivation
  • 20. + Other injection possibilities Using SQL injections, attackers can:  Add new data to the database  Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site  Perform an INSERT in the injected SQL  Modify data currently in the database  Could be very costly to have an expensive item suddenly be deeply ‘discounted’  Perform an UPDATE in the injected SQL  Often can gain access to other user’s system capabilities by obtaining their password
  • 21. + Best defence If possible, use bound variables with prepared statements  Many libraries allow you to bind inputs to variables inside a SQL statement  PERL example (from http://www.unixwiz.net/techtips/sql-injection.html) $sth = $dbh->prepare("SELECT email, userid FROM members WHERE email = ?;"); $sth->execute($email); See http://bobby-tables.com for example code in many languages
  • 22. + How does this prevent an attack?  The SQL statement you pass to prepare is parsed and compiled by the database server.  By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on.  Then when you call execute the prepared statement is combined with the parameter values you specify.  It works because the parameter values are combined with the compiled statement, not a SQL string.  SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend.
  • 23. + Other Defenses Use provided functions for escaping strings  Many attacks can be thwarted by simply using the SQL string escaping mechanism  ‘  ’ and “  ”  mysql_real_escape_string() is the preferred function for this Will not guard against all attacks  Consider:  SELECT fields FROM table WHERE id = 23 OR 1=1  No quotes here!
  • 24. + More Defenses Check syntax of input for validity  Many classes of input have fixed languages  Email addresses, dates, part numbers, etc.  Verify that the input is a valid string in the language  Some languages allow problematic characters (e.g., ‘*’ in email); may decide to not allow these  Exclude quotes and semicolons  Not always possible: consider the name Bill O’Reilly  Want to allow the use of single quotes in names Have length limits on input  Many SQL injection attacks depend on entering long strings
  • 25. + Even More Defenses Scan query string for undesirable word combinations that indicate SQL statements  INSERT, DROP, etc.  If you see these, can check against SQL syntax to see if they represent a statement or valid user input Limit database permissions and segregate users  If you’re only reading the database, connect to database as a user that only has read permissions  Never connect as a database administrator in your web application
  • 26. + And Yet More Defenses  Configure database error reporting  Default error reporting often gives away information that is valuable for attackers (table name, field name, etc.)  Configure so that this information is never exposed to a user