SlideShare ist ein Scribd-Unternehmen logo

How to Hack Your App Using SQL Injection

C
Chris Saxon

An introduction to SQL injection, explaining how this vulnerability exists and steps you can take to protect your application.

Technologie
1 von 54
Downloaden Sie, um offline zu lesen
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

Empfohlen

12 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 212 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 2
Chris Saxon
 
Why Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL PerformanceWhy Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL Performance
Chris Saxon
 
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL ChangesUsing Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Chris Saxon
 
How to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQLHow to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQL
Chris Saxon
 
Polymorphic Table Functions in SQL
Polymorphic Table Functions in SQLPolymorphic Table Functions in SQL
Polymorphic Table Functions in SQL
Chris Saxon
 
Hyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19cHyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19c
Connor McDonald
 
Melbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and TipsMelbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and Tips
Connor McDonald
 
OpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 minsOpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 mins
Connor McDonald
 

Empfohlen

12 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 212 Things Developers Will Love About Oracle Database 12c Release 2
12 Things Developers Will Love About Oracle Database 12c Release 2
Chris Saxon
 
Why Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL PerformanceWhy Isn't My Query Using an Index? An Introduction to SQL Performance
Why Isn't My Query Using an Index? An Introduction to SQL Performance
Chris Saxon
 
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL ChangesUsing Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Using Edition-Based Redefinition for Zero Downtime PL/SQL Changes
Chris Saxon
 
How to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQLHow to Find Patterns in Your Data with SQL
How to Find Patterns in Your Data with SQL
Chris Saxon
 
Polymorphic Table Functions in SQL
Polymorphic Table Functions in SQLPolymorphic Table Functions in SQL
Polymorphic Table Functions in SQL
Chris Saxon
 
Hyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19cHyderabad Mar 2019 - Database 18c / 19c
Hyderabad Mar 2019 - Database 18c / 19c
Connor McDonald
 
Melbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and TipsMelbourne Groundbreakers Tour - Hints and Tips
Melbourne Groundbreakers Tour - Hints and Tips
Connor McDonald
 
OpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 minsOpenWorld 2018 - SQL Tuning in 20 mins
OpenWorld 2018 - SQL Tuning in 20 mins
Connor McDonald
 
JSON-B for CZJUG
JSON-B for CZJUGJSON-B for CZJUG
JSON-B for CZJUG
Dmitry Kornilov
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
Marco Gralike
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and Tamaya
Dmitry Kornilov
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the Cloud
Dmitry Kornilov
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
Sandesh Rao
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
Sandesh Rao
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON Binding
Dmitry Kornilov
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
Frederic Descamps
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
Sandesh Rao
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
Sandesh Rao
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous Health
Sandesh Rao
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow India
Sandesh Rao
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Sandesh Rao
 
Java EE for the Cloud
Java EE for the CloudJava EE for the Cloud
Java EE for the Cloud
Dmitry Kornilov
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the war
gvenzl
 
18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c
Chris Saxon
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment model
Anil Nair
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2
Ivan Ma
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
Frederic Descamps
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database Triggers
Steven Feuerstein
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document Store
Jesper Wisborg Krogh
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!
Frederic Descamps
 

Weitere ähnliche Inhalte

Was ist angesagt?

Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the Cloud
Dmitry Kornilov
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
Sandesh Rao
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Sandesh Rao
 

Was ist angesagt? (15)

JSON-B for CZJUG
JSON-B for CZJUGJSON-B for CZJUG
JSON-B for CZJUG
 
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database APIUKOUG Tech15 - Going Full Circle - Building a native JSON Database API
UKOUG Tech15 - Going Full Circle - Building a native JSON Database API
 
Configuration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and TamayaConfiguration for Java EE: Config JSR and Tamaya
Configuration for Java EE: Config JSR and Tamaya
 
Configuration for Java EE and the Cloud
Configuration for Java EE and the CloudConfiguration for Java EE and the Cloud
Configuration for Java EE and the Cloud
 
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RACNZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
NZOUG-GroundBreakers-2018 - Troubleshooting and Diagnosing 18c RAC
 
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
NZOUG - GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Pres...
 
What's new in the Java API for JSON Binding
What's new in the Java API for JSON BindingWhat's new in the Java API for JSON Binding
What's new in the Java API for JSON Binding
 
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
MySQL Day Virtual: Best Practices Tips - Upgrading to MySQL 8.0
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
 
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
AIOUG-GroundBreakers-2018 -Using Oracle Autonomous Health Framework to Preser...
 
AUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous HealthAUSOUG - Applied Machine Learning for Database Autonomous Health
AUSOUG - Applied Machine Learning for Database Autonomous Health
 
Data meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow IndiaData meets AI - ATP Roadshow India
Data meets AI - ATP Roadshow India
 
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
Introducing New AI Ops Innovations in Oracle 19c Autonomous Health Framework ...
 
Java EE for the Cloud
Java EE for the CloudJava EE for the Cloud
Java EE for the Cloud
 
Developers vs DBAs - How to win the war
Developers vs DBAs - How to win the warDevelopers vs DBAs - How to win the war
Developers vs DBAs - How to win the war
 

Ähnlich wie How to Hack Your App Using SQL Injection

Ähnlich wie How to Hack Your App Using SQL Injection (20)

18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c18(ish) Things You'll Love About Oracle Database 18c
18(ish) Things You'll Love About Oracle Database 18c
 
Step by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment modelStep by Step instructions to install Cluster Domain deployment model
Step by Step instructions to install Cluster Domain deployment model
 
20190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev220190615 hkos-mysql-troubleshootingandperformancev2
20190615 hkos-mysql-troubleshootingandperformancev2
 
Introduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB ClusterIntroduction to MySQL InnoDB Cluster
Introduction to MySQL InnoDB Cluster
 
AskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database TriggersAskTOM Office Hours on Database Triggers
AskTOM Office Hours on Database Triggers
 
Python and the MySQL Document Store
Python and the MySQL Document StorePython and the MySQL Document Store
Python and the MySQL Document Store
 
MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!MySQL Document Store - when SQL & NoSQL live together... in peace!
MySQL Document Store - when SQL & NoSQL live together... in peace!
 
Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017Flashback features in Oracle - UKOUG 2017
Flashback features in Oracle - UKOUG 2017
 
Robust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL DataRobust easy affordable disaster recovery for MySQL Data
Robust easy affordable disaster recovery for MySQL Data
 
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
The Theory and Math Behind Data Privacy and Security Assurance (SEC301) - AWS...
 
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
20180310 jawsdays SA LT いまCloudFormationで知るべき10のこと
 
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
MySQL innodb cluster and Group Replication in a nutshell - hands-on tutorial ...
 
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on LabMySQL InnoDB Cluster in a Nutshell - Hands-on Lab
MySQL InnoDB Cluster in a Nutshell - Hands-on Lab
 
Migrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIMigrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCI
 
PGQL: A Language for Graphs
PGQL: A Language for GraphsPGQL: A Language for Graphs
PGQL: A Language for Graphs
 
ARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million UsersARC201_Scaling Up to Your First 10 Million Users
ARC201_Scaling Up to Your First 10 Million Users
 
Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_Leverage integration cloud_service_for_ebs_
Leverage integration cloud_service_for_ebs_
 
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
ReactJS Tutorial For Beginners | ReactJS Redux Training For Beginners | React...
 
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
Connecting the Unconnected using GraphDB - Tel Aviv Summit 2018
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New Features
 

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

How to Hack Your App Using SQL Injection

  • 1. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How to Hack Your App Using SQL Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily www.youtube.com/c/TheMagicofSQL blogs.oracle.com/sql blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 2. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! ...do we really need to talk about this? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 3. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 4. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 5. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | http://www.bbc.co.uk/news/technology-34963686 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 6. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record- 400-000-fine-for-failing-to-prevent-october-2015-attack/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 7. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | SQL Vulnerabilities Wordpress Jan 2017 https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Jul 2017 https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/ Oct 2017 https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 8. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | codecurmudgeon.com/wp/sql-injection-hall-of-shame/ blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 9. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon https://haveibeenpwned.com/
  • 10. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DEMO blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 11. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 12. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 13. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 14. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Principle of Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 15. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 16. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Least Privilege
  • 17. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay Least Privilege blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 18. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 19. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Data Red*****n Can still blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 20. Use Bind Variables! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 21. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = '" + name + "' and password = '" + pass + "'"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 22. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 23. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 24. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = '' or 1 = 1 --' and password = 'chris'; Always true! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 25. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 26. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | select full_name from users where username = 'chris' and password = '' union all select owner || '.' || table_name from all_tables where 1='1'; Everything you can select blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 27. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 28. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 29. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where username = ? and password = ?"; Value placeholder Inputs never part of SQL => blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 30. PL/SQL is automatically bound blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 31. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | begin select * into user_rec from sqlinjection.users u where u.username = l_name and u.password = l_pass; end; These are bind variables blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 32. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | execute Pixabay Least Privilege plsql f (x) blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 33. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I write dynamic SQL blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 34. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | String sql = "select * from users where 1 = 1 "; if param_1 is not null then sql = sql + " and c1 = ? "; end if; if param_2 is not null then sql = sql + " and c2 = ? "; end if; blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon can still bind
  • 35. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | …but I accept identifiers blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 36. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 37. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Sanitize input! Pixabay DBMS_assert blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 38. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Change User Passwords execute immediate 'alter user ' || dbms_assert.schema_name ( user ) || ' identified by "' || replace( dbms_assert.enquote_literal ( pass ), '''' ) || '"'; Can't have single quotes (') in password! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 39. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I develop an internal app blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 40. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography employees can has your dataz? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 41. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay How secure is your network? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 42. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42 Web Browser Web Server Database SSL TDE Encryption here is overkill, right? Transparent Data Encryption? SSL?
  • 43. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43
  • 44. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44 Web Browser Web Server Database SSL TDE Native Encryption See doc for more details
  • 45. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | I don't have time to review all code
  • 46. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Test Deploy Build Run sqlmap Test in CI/CD Process
  • 47. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King 5800 650-123-5234 Shanta Vollman Steven King 6500 650-123-4234 Payam Kaufling Steven King 7900 650-123-3234 Adam Fripp Steven King 8200 650-123-2234 Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 650-507-9879 Martha Sullivan Matthew Weiss 2500 650-507-9878 Jean Fleaur Matthew Weiss 3100 650-507-9877 Winston Taylor Matthew Weiss 3200 650-507-9876 Steven Markle Matthew Weiss 2200 650-124-1434
  • 48. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Virtual Private Database Restrict access at source Employee Name Manager Name Salary SSN Kevin Mourgos Steven King Shanta Vollman Steven King Payam Kaufling Steven King Adam Fripp Steven King Matthew Weiss Steven King 8000 650-123-1234 Girard Geoni Matthew Weiss 2800 Martha Sullivan Matthew Weiss 2500 Jean Fleaur Matthew Weiss 3100 Winston Taylor Matthew Weiss 3200 Steven Markle Matthew Weiss 2200
  • 49. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | How at risk am I? blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 50. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 51. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | DBSAT My Oracle Support 2138254.1 blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 52. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Pixabay PL/SQL Least Privilege Data R*******n Bind Variables Sanitize inputs blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon Security Layers
  • 53. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | It's2018! no excuses... ... your data! blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
  • 54. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | Gratisography sqlmap.org #MakeDataGreatAgain blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon