SQL Injection in JAVA
HoseinYavari
181 views
22 slides
Feb 26, 2022
Slide 1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Presentation
An Overview to SQL Injection Attacks and Prevention Methods in JAVA
Slide Content
Hossein Yavari SQL Injection in JAVA March 2022
What We Learn? What is the injection attack? Types of injection attacks SQL Injection Type of SQLi SQLi in JAVA How to prevent SQLi in JAVA?
What is the Injection? To trick an application into interpreting data that includes unintended commands. Interpreters: Interpret strings as commands SQL, shell, etc. Input data from the application is executed as code by the interpreter.
Types of Injection Attacks SQL Injection (SQLi) Cross-Site Scripting (XSS) CCS Injection LDAP Injection SMTP/IMAP Command Injection
SQL Injection Vulnerability in the code of websites and web apps that allows attackers to hijack back-end processes and access, extract, and delete confidential information from databases. Successful SQLi attacks: Log in to an app or a website front end without a password. Access, extract, and delete stored data from secured databases. Create their own database records or modify existing records, opening the door for further attacks.
SQL Injection (Cont.) App sends form to user. Attacker submits form with SQL exploit data. Application builds string with exploit data. Application sends SQL query to DB. DB executes query, including exploit, sends data back to application. Application returns data to user.
Type of SQLi Boolean Based Union Based Input Data> 2 or 1=1 SQL Query> select first_name , last_name from tbl_employee where empId =2 or 1=1 Input Data> 2 union select username, password from tbluser SQL Query > Select first_name , last_name from tbl_employee where empId =2 union select username, password from tbluser
Type of SQLi (Cont.) Time Based Error Based Attacker injects SQL which are syntactically incorrect so database server will return error code and messages which can be used to get database and system information. Blind Bad actors query the database for true or false questions, then determine the answer based on the response. Input Data> 2 + SLEEP(5) SQL Query> select emp_id , first_name , last_name from tbl_employee where empId =2 + SLEEP(5)
SQL Injection Sample String query = “SELECT Username, UserID , Password FROM Users WHERE username =“ + user + “ AND password =“ + password; query = “SELECT Username, UserID , Password FROM Users WHERE username = 'bob' AND Password = ‘********‘”
SQL Injection Sample (Cont.) String query = “SELECT Username, UserID , Password FROM Users WHERE username =“ + user + “ AND password =“ + password; query1 = “SELECT Username, UserID , Password FROM Users WHERE Username = 'bob’-- ’ AND Password = ‘‘” query = “SELECT Username, UserID , Password FROM Users WHERE Username = 'bob’; DROP Users-- ’ AND Password = ‘‘” BOOM
SQL Injection Sample (Cont.) Boolean SQLi: SELECT * FROM projects WHERE user_id = 10 SELECT * FROM projects WHERE user_id = 10 OR 1 = 1
SQLi in JAVA
SQLi in JAVA (Cont.) http://localhost:8080/filterUserJdbcUnSafe name=="Bilbo' or '1' = '1"
SQLi in JAVA (Cont.) http http://localhost:8080/filterUserGlobalAccessUnSafe name=="Bilbo' union all select 1, concat (review,'-----',rating),review, 'STAFF' from management.employee_review where '1'='1"
How to Prevent SQLi Vulnerabilities Use Prepared Statements with Parameterized Queries In JAVA: PreparedStatement () The question mark (?) in the above query is called a positional parameter.
How to Prevent SQLi Vulnerabilities (Cont.) Use Stored Procedures A stored procedure is defined and stored in the database itself, and then called from the application. In JAVA: CallableStatement , implementation of the stored procedure interface, to execute the same database query. The sp_getAccountBalance stored procedure would have to be predefined in the database and implement the same functionality as the query.
How to Prevent SQLi Vulnerabilities (Cont.) Allowlist Input Validation Parameter values should be mapped to the legal/expected table or column names to make sure unvalidated user input doesn't end up in the query.
How to Prevent SQLi Vulnerabilities (Cont.) Escaping All User-Supplied Input This technique is to escape user input before putting it in a query. It is very database specific in its implementation. Example: When wrapped by encodeForSql (...), no part of the user input will be considered as code
How to Prevent SQLi Vulnerabilities (Cont.) Enforce the Principle of Least Privilege Minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts. Limit the application’s access to the database via permissions & grants.
How to Prevent SQLi Vulnerabilities (Cont.) Use tools to find SQLi vulnerabilities in your application Tools that automate the process of detecting and exploiting SQL injection flaws and taking over of database servers. Example: sqlmap https://github.com/sqlmapproject/sqlmap
Questions? 21
Thank You 22
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 181
- Slides 22
- Age 1374 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views