SQL Injection Presenter : Pham Nhat Anh What is This ? And How to Denfend ?          !"  #  $%&'$%   ()***) +*!",-).,")( // 0(" *+  "),)) (,1"" *!!"))  !+  $)!,,""%"* (*22"* *!),1 ! "+ 3)4  $)!(,*!  &2) 5 2,2 5 !)6 5 7*"!"* 5 '""2"8! 3)94  *:;7, **  &),)*"(*!!" !< 5 $77 5 , 5 =!""$= 7*!"  ()*! "(* 2(*  (*7271)"()("" ,< 5 &*<>?!2"5  < 5 @"A< "B(* )*C>>?!2"88> ! C>>? A"C/"B(* )*C>/D*D/> ! C>/D! D/>/?     [...]... command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Password.Text; STORED PROCEDURES • Less vulnerable to SQL injection attacks • Added security via EXECUTE permission SqlCommand command = new SqlCommand ("Users_GetUser", connection); command.CommandType = CommandType.StoredProcedure; SqlCommand command = new SqlCommand (sql, connection);... near future • The solutions for SQL injection are not very complicate but it requires good management to deploy properly • Don’t under estimate SQL injection and tackle the problem in a more holistic and systematic approach Reference 1 2 3 4 5 6 7 8 SecuriTeam, SQL Injection Walkthrough, May 2002 http://www.securiteam.com/securityreviews/5DP0N1P76E.html Steve Friedl, SQL Injection Attacks by Example,... prevent SQL Injection correctly • Input Validation and Remove some meta chars(‘ “ ; \\ …) • parameterize DML • stored procedures • Remove unusual system stored procedures PARAMETERIZE DML If DML is a requirement of the application add parameters to the SQL statements string sql = "SELECT * FROM Users " + "WHERE username=@Username " + "AND password= @Password"; SqlCommand command = new SqlCommand (sql, .. .SQL Injection statistics SQL Injection statistics Risks Posed by SQL injection • Confidentiality – SELECT • Data Integrity – INSERT – DROP – DELETE • Authentication bypass – ‘OR 1 = 1-• System compromise – Stored Procedures – Extended... Assessment Tools Kill Bugs Dead, Secure Enterprise, Dec 2005 http://www.secureenterprisemag.com/showArticle.jhtml?articleId=174402221 Sam M.S NG, SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement, May 2005 http://www.sqlblock.com/sqlblock.pdf ... http://www.unixwiz.net/techtips /sql- injection. html Gunter Ollmann, “Second-order Code Injection Attacks” http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf PHP Magic Quotes Manual http://www.php.net/manual/en/security.magicquotes.php Oracle Invoker's Rights Procedures http://www.stanford.edu/dept/itss/docs/oracle/10g/network.101/b10773/glossary.ht m Security Context of Dynamic SQL Statements Inside... command.CommandType = CommandType.StoredProcedure; SqlCommand command = new SqlCommand (sql, connection); command.Parameters.Add("@Username", SqlDbType.VarChar).Value = UserName.Text; command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Password.Text; Conclusion • SQL Injection is one of the most important problem in web application security • As shown in page 7, the number of vulnerabilities reported . SQL Injection Presenter : Pham Nhat Anh What is This ? And How to Denfend ?