SlideShare ist ein Scribd-Unternehmen logo

SQLi Exploited - Hoffman Doc

•Als PPTX, PDF herunterladen•
•
M
Micah Hoffman

The document discusses SQL injection exploitation. It begins with an introduction of the presenter and an overview of topics to be covered, including what SQL injection is, what an attacker can do with it, tools to exploit it, safe places to practice, and how to prevent it. It then defines SQL injection as a web application vulnerability where an attacker can run database commands through a vulnerable web application. The document demonstrates SQL injection with an example and discusses how an attacker could read and write database records, bypass authentication, and compromise the server. It recommends tools for discovery and exploitation, suggests the Samurai Web Testing Framework as a safe target practice environment, and shows an exploitation demo. It concludes with recommendations for developers, administrators, and test

Technologie
1 von 13
SQL Injection Exploited MICAH HOFFMAN 1
SQL Injection in the News SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 2
Who am I? â—¦ Infosec Engineer / Pentester â—¦ NoVA Hacker â—¦ PwnWiki.io Curator â—¦ Recon-ng module Writer â—¦ SANS Instructor (SEC542) â—¦ Hiker / Backpacker 3 Novahackers.com SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER
Great Expectations oWhat is SQL Injection (SQLi)? oWhat can an attacker exploiting SQLi do? oTools to exploit SQLi oAppropriate places to practice SQLi exploitation oDemo of SQLi exploitation oHow do you prevent SQLi? SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 4
What is SQL Injection (SQLi)? oWeb application vulnerability oAttacker runs commands on the database server through the vulnerable web app SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 5 SQLi here Gets an attacker in here
This is SQL Injection Normal URL â—¦ http://example.com/user.php?name=admin&password=a â—¦ Web application sends the following SQL to the database: â—¦ SELECT * FROM accounts WHERE user='admin' AND password='a' â—¦ Returns 1 record SQL Injection Example URL â—¦ http://example.com/user.php?name=admin' or 1=1 -- &password=a â—¦ SELECT * FROM accounts WHERE user='admin' or 1=1 -- ' AND password='a' â—¦ Returns all records because 1 always equals 1 SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 6
Would SQLi Exploitation in License Plates Actually Work? SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 7
What can an attacker do? Not all SQL injection is the same – some allow greater access Things an attacker can do by exploiting SQLi ◦ Inside the database server ◦ Read records in databases / Steal records (Confidentiality/Authorization) ◦ Write to records in databases (Integrity) ◦ Delete records in databases (Availability) ◦ Circumvent authentication (if SQLi is found in the authentication mechanism) ◦ On the database server’s underlying system ◦ Read/Write files to/from the server file system ◦ Execute commands on the server operating system ◦ Compromise the server ◦ Pivot into internal network and attack other systems SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 8
SQLi Discovery and Exploitation Tools COTS â—¦ App Scanners - Acunetix / Netsparker / NTO Spider â—¦ Vuln Scanners - Nessus / Nexpose / Qualys / Metasploit / Core Impact Free â—¦ Sqlmap â—¦ Sqlninja â—¦ BBQSQL SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 9
“Safe” Testing Targets Samurai Web Testing Framework (SamuraiWTF) - FREE ◦ http://www.samurai-wtf.org/ ◦ VMWare image and ISO ◦ Attack tools and many web application victim targets ◦ Has SamuraiWTF “Course” PDF ◦ Used by SANS Web App Hacking (SEC542) course Individual Vulnerable Apps ◦ WebGoat ◦ Mutillidae ◦ Gruyere ◦ McAfee HacMe SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 10
Demo using SamuraiWTF SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 11
Preventing SQLi through Education System Administrator ◦ Ensure database is running as a user/service account with least privilege ◦ Ensure operating system and applications are patched and hardened Database Administrator ◦ Ensure each application has its own account in the database ◦ Ensure each account has the explicit permissions required for the app ◦ Ensure the server is hardened and risky options are disabled Application Developer ◦ Sanitize, filter and validate all data before sending to database ◦ Use SQLi-prevention mechanisms (parameterized queries, stored procedures) correctly Testing ◦ Perform security assessments, penetration testing, against your systems SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 12 SANS Administrator: ◦ SEC464 – Security Baseline SANS Developer: ◦ DEV522 – Defending Web Apps ◦ DEV536 – Secure Coding SANS Defender: ◦ SEC434 – Log Management ◦ SEC440 – Crit. Sec. Controls ◦ SEC502 – Perimeter Protection SANS Attacker: ◦ SEC504 – Hacker Techniques ◦ SEC542 – Web App Pentest ◦ SEC560 – Net Pentest
Questions? Resources ◦ Information about web app vulnerabilities, how to test and remediate - OWASP – http://owasp.org ◦ SQL Injection Cheat Sheet - http://websec.ca/kb/sql_injection Key Testing Tools ◦ Sqlmap - sqlmap.org ◦ Docs are on the http://github.com/sqlmapproject/sqlmap/wiki page ◦ SamuraiWTF ◦ http:// www.samurai-wtf.org and http://sourceforge.net/projects/samurai/files/ My Blog: http://webbreacher.blogspot.com SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 13

Empfohlen

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 

Empfohlen

Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Security in NodeJS applications
Security in NodeJS applicationsSecurity in NodeJS applications
Security in NodeJS applicationsDaniel Garcia (a.k.a cr0hn)
 
RIA Cross Domain Policy
RIA Cross Domain PolicyRIA Cross Domain Policy
RIA Cross Domain PolicyNSConclave
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration TestingCheah Eng Soon
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teamingn|u - The Open Security Community
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksMohamed Talaat
 

Weitere ähnliche Inhalte

Was ist angesagt?

Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team ExercisePeter Wood
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 

Was ist angesagt? (20)

Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017How fun of privilege escalation Red Pill2017
How fun of privilege escalation Red Pill2017
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Lessons from a Red Team Exercise
Lessons from a Red Team ExerciseLessons from a Red Team Exercise
Lessons from a Red Team Exercise
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 

Ă„hnlich wie SQLi Exploited - Hoffman Doc

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksMohamed Talaat
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Web security
Web securityWeb security
Web securitydogangcr
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx0567Padma
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
Sql Injection
Sql InjectionSql Injection
Sql InjectionAju Thomas
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless HackingDon Anto
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsAlert Logic
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection Eguardian Global Services
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupJanith Malinga
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure worldGianluca Sartori
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 

Ă„hnlich wie SQLi Exploited - Hoffman Doc (20)

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web security
Web securityWeb security
Web security
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Web Security
Web SecurityWeb Security
Web Security
 
Web & Wireless Hacking
Web & Wireless HackingWeb & Wireless Hacking
Web & Wireless Hacking
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
SQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity MeetupSQL injection Colombo Cybersecurity Meetup
SQL injection Colombo Cybersecurity Meetup
 
Sql server security in an insecure world
Sql server security in an insecure worldSql server security in an insecure world
Sql server security in an insecure world
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alCss sf azure_8-9-17-protecting_web_apps_stephen coty_al
Css sf azure_8-9-17-protecting_web_apps_stephen coty_al
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 

KĂĽrzlich hochgeladen

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel AraĂşjo
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

KĂĽrzlich hochgeladen (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

SQLi Exploited - Hoffman Doc

  • 2. SQL Injection in the News SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 2
  • 3. Who am I? â—¦ Infosec Engineer / Pentester â—¦ NoVA Hacker â—¦ PwnWiki.io Curator â—¦ Recon-ng module Writer â—¦ SANS Instructor (SEC542) â—¦ Hiker / Backpacker 3 Novahackers.com SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER
  • 4. Great Expectations oWhat is SQL Injection (SQLi)? oWhat can an attacker exploiting SQLi do? oTools to exploit SQLi oAppropriate places to practice SQLi exploitation oDemo of SQLi exploitation oHow do you prevent SQLi? SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 4
  • 5. What is SQL Injection (SQLi)? oWeb application vulnerability oAttacker runs commands on the database server through the vulnerable web app SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 5 SQLi here Gets an attacker in here
  • 6. This is SQL Injection Normal URL â—¦ http://example.com/user.php?name=admin&password=a â—¦ Web application sends the following SQL to the database: â—¦ SELECT * FROM accounts WHERE user='admin' AND password='a' â—¦ Returns 1 record SQL Injection Example URL â—¦ http://example.com/user.php?name=admin' or 1=1 -- &password=a â—¦ SELECT * FROM accounts WHERE user='admin' or 1=1 -- ' AND password='a' â—¦ Returns all records because 1 always equals 1 SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 6
  • 7. Would SQLi Exploitation in License Plates Actually Work? SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 7
  • 8. What can an attacker do? Not all SQL injection is the same – some allow greater access Things an attacker can do by exploiting SQLi â—¦ Inside the database server â—¦ Read records in databases / Steal records (Confidentiality/Authorization) â—¦ Write to records in databases (Integrity) â—¦ Delete records in databases (Availability) â—¦ Circumvent authentication (if SQLi is found in the authentication mechanism) â—¦ On the database server’s underlying system â—¦ Read/Write files to/from the server file system â—¦ Execute commands on the server operating system â—¦ Compromise the server â—¦ Pivot into internal network and attack other systems SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 8
  • 9. SQLi Discovery and Exploitation Tools COTS â—¦ App Scanners - Acunetix / Netsparker / NTO Spider â—¦ Vuln Scanners - Nessus / Nexpose / Qualys / Metasploit / Core Impact Free â—¦ Sqlmap â—¦ Sqlninja â—¦ BBQSQL SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 9
  • 10. “Safe” Testing Targets Samurai Web Testing Framework (SamuraiWTF) - FREE â—¦ http://www.samurai-wtf.org/ â—¦ VMWare image and ISO â—¦ Attack tools and many web application victim targets â—¦ Has SamuraiWTF “Course” PDF â—¦ Used by SANS Web App Hacking (SEC542) course Individual Vulnerable Apps â—¦ WebGoat â—¦ Mutillidae â—¦ Gruyere â—¦ McAfee HacMe SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 10
  • 11. Demo using SamuraiWTF SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 11
  • 12. Preventing SQLi through Education System Administrator â—¦ Ensure database is running as a user/service account with least privilege â—¦ Ensure operating system and applications are patched and hardened Database Administrator â—¦ Ensure each application has its own account in the database â—¦ Ensure each account has the explicit permissions required for the app â—¦ Ensure the server is hardened and risky options are disabled Application Developer â—¦ Sanitize, filter and validate all data before sending to database â—¦ Use SQLi-prevention mechanisms (parameterized queries, stored procedures) correctly Testing â—¦ Perform security assessments, penetration testing, against your systems SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 12 SANS Administrator: â—¦ SEC464 – Security Baseline SANS Developer: â—¦ DEV522 – Defending Web Apps â—¦ DEV536 – Secure Coding SANS Defender: â—¦ SEC434 – Log Management â—¦ SEC440 – Crit. Sec. Controls â—¦ SEC502 – Perimeter Protection SANS Attacker: â—¦ SEC504 – Hacker Techniques â—¦ SEC542 – Web App Pentest â—¦ SEC560 – Net Pentest
  • 13. Questions? Resources â—¦ Information about web app vulnerabilities, how to test and remediate - OWASP – http://owasp.org â—¦ SQL Injection Cheat Sheet - http://websec.ca/kb/sql_injection Key Testing Tools â—¦ Sqlmap - sqlmap.org â—¦ Docs are on the http://github.com/sqlmapproject/sqlmap/wiki page â—¦ SamuraiWTF â—¦ http:// www.samurai-wtf.org and http://sourceforge.net/projects/samurai/files/ My Blog: http://webbreacher.blogspot.com SQL INJECTION EXPLOITED - MICAH HOFFMAN - @WEBBREACHER 13

Hinweis der Redaktion

  1. As a senior infosec engineer, I mentor junior staff. They ask “How can I contribute?” “What can I do…I don’t have my [insert cert here]?” I tell them…