SQL Injection Attacks
|
|
- Violet Rice
- 6 years ago
- Views:
Transcription
1 SQL Injection Attacks & Some Tips On How To Prevent Them SQL Server User Group Edinburgh 29 th June 2011
2 Code Examples All the code examples can be found on my blog: /blog/category/ sql-injection-attack-talk/
3 What is a SQL Injection Attack? Manipulative user input Tricks application First order Immediate activation of payload Second order Delayed activation of payload
4 A warning from history Vendor spent $83K on firewall products App connected to SQL Server as sa Attack retrieved results via Was also able to shut down the SQL Server
5 Securing your database Multifaceted approach Firewall settings are not enough! Application interaction Code that communicates with the DB Database protection Setting security on the database "Security is a process, not a product." -- Bruce Schneier, Secrets and Lies.
6 An example SELECT ProductName, QuantityPerUnit, UnitPrice FROM Products WHERE ProductName LIKE 'G%' string sql = "SELECT ProductName, QuantityPerUnit, UnitPrice "+ "FROM Products " + "WHERE ProductName LIKE '"+this.search.text+"%'; SqlDataAdapter da = new SqlDataAdapter(sql, DbCommand); da.fill(productdataset);
7 An example ' UNION SELECT TABLE_NAME, 1, 1 FROM INFORMATION_SCHEMA.TABLES;-- string sql = "SELECT ProductName, QuantityPerUnit, UnitPrice "+ "FROM Products " + "WHERE ProductName LIKE '"+this.search.text+"%'; SqlDataAdapter da = new SqlDataAdapter(sql, DbCommand); da.fill(productdataset); SELECT ProductName, QuantityPerUnit, UnitPrice FROM Products WHERE ProductName LIKE '' UNION SELECT TABLE_NAME, 1, 1 FROM INFORMATION_SCHEMA.TABLES;--%'
8 DEMO Example web application ASP.NET MVC But could be any framework Web / Windows / Services / WPF / Silverlight / etc. Or OS Windows / Linux / ios / MacOS / Android / etc. SQL Server 2008 But could be any RDBMS really Oracle / MySQL / etc.
9 Prevention Tips Lock down access to xp (external Procedures) Run SQL service under least privilege So, if the xp is run it can t do to much damage Minimised possibility of damage beyond SQL Server
10 Escaping key characters e.g. ' becomes '' User types O'Brien SQL is O''Brien Don t trust myself to always remember Can be differences between databases Can be easy to get it wrong
11 Prevention Tip Use parameterised queries Separates the data from the command Cuts out most of the ability to attack Nothing being injected any more Not a complete defence! Good first step tho
12 Second Order Attacks Malicious user hides payload Possibly in a trusted area Payload is then detonated later More difficult to detect
13 Demo Second Order Attack User creates a favourite Favourite contains the payload Payload activated later
14 Prevention Tip Trust NOTHING! Well, almost nothing
15 Stored Procedures Provide an extra level of security Revoke access to tables, grant to sprocs Allow programmatic checks Data validation
16 Prevention Tip Don t connect as a user in the sysadmin role e.g. The sa user You know who else connected as the sa user? Godwin Approved
17 Stored Procedure Caveat Can still access sprocs and be vulnerable SqlCommand cmd = new SqlCommand("EXECUTE mystoredproc '" + mytextbox.text + "'"); It could create its own injection scenario
18 Demo Second order attack using Stored Procedure
19 Dynamic SQL in sproc Sometimes it IS necessary Not often, tho Dynamic tables or columns SQL Server 2000 requires it for varying SELECT TOP values Can use sp_executesql Built in Stored Proc Allows parameters to be passed
20 Dynamic SQL in sproc Validate inputs INFORMATION_SCHEMA.TABLES INFORMATION_SCHEMA.COLUMNS Use QUOTENAME to escape names properly
21 sp_executesql Example CREATE PROCEDURE sysname AS BEGIN SET NOCOUNT ON; IF EXISTS (SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME AND COLUMN_NAME BEGIN nvarchar(max) = 'SELECT ' + QUOTENAME(@ColumnName) + ' FROM ' + QUOTENAME(@TableName) + ' WHERE Id EXEC N'@Identifier END END GO
22 O/RM Abstracts away the persistence layer Will generate correct (safe) SQL Still a need to understand database And the implications of actions on the DB Need to shape the access to the tables
23 Error Messages Hide error messages from the user They can contain details about your system
24 Error Messages Log the errors NLog Elmah log4net Display a friendly message to the user
25 SQL Injection Attacks Question Time /blog/category/sql-injection-attack-talk/
WEB SECURITY p.1
WEB SECURITY 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and
More informationHack-Proofing Your ASP.NET Applications
Note: Article is mapped toe ACCP Trim 4 and ACCP-Pro Term III Introduction Almost every day, the mainstream media reports that another site has been hacked. These constant intrusions by prominent hacker
More informationSql Server 2005 Asp Schema Information_schema Triggers
Sql Server 2005 Asp Schema Information_schema Triggers Applies To: SQL Server 2014, SQL Server 2016 Preview Do not use INFORMATION_SCHEMA views to determine the schema of an object. The only reliable.
More informationServer-side web security (part 2 - attacks and defences)
Server-side web security (part 2 - attacks and defences) Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Basic injections $query = "SELECT name, lastname,
More informationA1 (Part 2): Injection SQL Injection
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Firewall Firewall Accounts
More informationSQL Injection SPRING 2018: GANG WANG
SQL Injection SPRING 2018: GANG WANG SQL Injection Another reason to validate user input data Slides credit to Neil Daswani and Adam Doupé 2 3 http://xkcd.com/327/ Produce More Secure Code Operating system
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationT-sql Check If Index Exists Information_schema
T-sql Check If Index Exists Information_schema Is there another way to check if table/column exists in SQL Server? indexes won't pick them up, causing it to use the Clustered Index whenever a new column
More informationTutorial on SQL Injection
Tutorial on SQL Injection Author: Nagasahas Dasa Information Security Enthusiast You can reach me on solidmonster.com or nagasahas@gmail.com Big time!!! Been long time since I posted my blog, this would
More informationWHAT APPLICATION DEVELOPERS SHOULD KNOW ABOUT SQL SERVER?
WHAT APPLICATION DEVELOPERS SHOULD KNOW ABOUT SQL SERVER? MILOŠ RADIVOJEVIĆ, PRINCIPAL DATABASE CONSULTANT, BWIN.PARTY, AUSTRIA SQL SATURDAY BRATISLAVA, 4 TH JUNE 2016 Sponsors Miloš Radivojević Data Platform
More informationApplication Authorization with SET ROLE. Aurynn Shaw, Command Prompt, Inc. PGCon 2010
Application Authorization with SET ROLE Aurynn Shaw, Command Prompt, Inc. PGCon 2010 Hi Hi Aurynn Shaw DBA/Lead Dev/PM/etc @ Command Prompt * Today we re talking about AuthZ in PG * Benefits, drawbacks,
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationWHAT APPLICATION DEVELOPERS SHOULD KNOW ABOUT SQL SERVER?
WHAT APPLICATION DEVELOPERS SHOULD KNOW ABOUT SQL SERVER? MILOŠ RADIVOJEVIĆ, PRINCIPAL DATABASE CONSULTANT, BWIN.PARTY, AUSTRIA SQL SATURDAY MUNICH, 8 TH OCTOBER 2016 Our Sponsors Miloš Radivojević Data
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationLecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion
IN5290 Ethical Hacking Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion Universitetet i Oslo Laszlo Erdödi Lecture Overview What is SQL injection
More informationAndroid System Architecture. Android Application Fundamentals. Applications in Android. Apps in the Android OS. Program Model 8/31/2015
Android System Architecture Android Application Fundamentals Applications in Android All source code, resources, and data are compiled into a single archive file. The file uses the.apk suffix and is used
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationInjection. CSC 482/582: Computer Security Slide #1
Injection Slide #1 Topics 1. Injection Attacks 2. SQL Injection 3. Mitigating SQL Injection 4. XML Injection Slide #2 Injection Injection attacks trick an application into including unintended commands
More informationHow to Secure SSH with Google Two-Factor Authentication
How to Secure SSH with Google Two-Factor Authentication WELL, SINCE IT IS QUITE COMPLEX TO SET UP, WE VE DECIDED TO DEDICATE A WHOLE BLOG TO THAT PARTICULAR STEP! A few weeks ago we took a look at how
More informationKarthik Bharathy Program Manager, SQL Server Microsoft
Karthik Bharathy Program Manager, SQL Server Microsoft Key Session takeaways Understand the many views of SQL Server Look at hardening SQL Server At the network level At the access level At the data level
More informationProgressive Authentication in ios
Progressive Authentication in ios Genghis Chau, Denis Plotnikov, Edwin Zhang December 12 th, 2014 1 Overview In today s increasingly mobile-centric world, more people are beginning to use their smartphones
More informationeb Security Software Studio
eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
More informationAssignment 6. This lab should be performed under the Oracle Linux VM provided in the course.
Assignment 6 This assignment includes hands-on exercises in the Oracle VM. It has two Parts. Part 1 is SQL Injection Lab and Part 2 is Encryption Lab. Deliverables You will be submitting evidence that
More informationSQL Injection. A tutorial based on XVWA
SQL Injection A tutorial based on XVWA Table of Contents I. Preparation... 2 II. What we will do in this tutorial... 2 III. Theory: what is SQL injection... 2 What is an injection attack IV. Error based
More informationSQL Server and Application Security For Developers. Mladen, Prajdic, Developer, Mladen Prajdic s.p. Moderated By: Lee Coates
SQL Server and Application Security For Developers Mladen, Prajdic, Developer, Mladen Prajdic s.p. Moderated By: Lee Coates Technical Assistance If you require assistance during the session, type your
More informationJacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013
Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013 Welcome Back! A Quick Recap of the Last Presentation: Overview of web technologies. What it is. How it works. Why it s attractive
More informationWho s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl
Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl 1 http://xkcd.com/327/ 2 What Is SQL Injection? Incorrectly validated or nonvalidated string literals are concatenated into
More informationBackground. $VENDOR wasn t sure either, but they were pretty sure it wasn t their code.
Background Patient A got in touch because they were having performance pain with $VENDOR s applications. Patient A wasn t sure if the problem was hardware, their configuration, or something in $VENDOR
More informationChapter # 7 Introduction to Structured Query Language (SQL) Part I
Chapter # 7 Introduction to Structured Query Language (SQL) Part I Introduction to SQL SQL functions fit into two broad categories: Data definition language Data manipulation language Basic command set
More informationPHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages
Security Summary Server-Side Web Languages Uta Priss School of Computing Napier University, Edinburgh, UK Copyright Napier University Security Summary Slide 1/15 Outline PHP-security Software lifecycle
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationMWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010
MWR InfoSecurity Security Advisory Oracle Enterprise Manager SQL Injection Advisory 1 st February 2010 2010-11-12 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationCOMP 430 Intro. to Database Systems. Encapsulating SQL code
COMP 430 Intro. to Database Systems Encapsulating SQL code Want to bundle SQL into code blocks Like in every other language Encapsulation Abstraction Code reuse Maintenance DB- or application-level? DB:
More informationWeb Security. Web Programming.
Web Security Web Programming yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
More informationInformation Security. Gabriel Lawrence Director, IT Security UCSD
Information Security Gabriel Lawrence Director, IT Security UCSD Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications
More informationshortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge
shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationOperating System Security
Operating System Security Operating Systems Defined Hardware: I/o...Memory.CPU Operating Systems: Windows or Android, etc Applications run on operating system Operating Systems Makes it easier to use resources.
More informationLet's Play... Try to name the databases described on the following slides...
Database Software Let's Play... Try to name the databases described on the following slides... "World's most popular" Free relational database system (RDBMS) that... the "M" in "LAMP" and "XAMP" stacks
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationWeb Hosting. Important features to consider
Web Hosting Important features to consider Amount of Storage When choosing your web hosting, one of your primary concerns will obviously be How much data can I store? For most small and medium web sites,
More informationDatabase Security: Transactions, Access Control, and SQL Injection
.. Cal Poly Spring 2013 CPE/CSC 365 Introduction to Database Systems Eriq Augustine.. Transactions Database Security: Transactions, Access Control, and SQL Injection A transaction is a sequence of SQL
More informationSecure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -
Secure Web App. Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 - Building & Testing Secure Web Applications By Aspect Security Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 2
More informationPreviously everyone in the class used the mysql account: Username: csci340user Password: csci340pass
Database Design, CSCI 340, Spring 2016 SQL, Transactions, April 15 Previously everyone in the class used the mysql account: Username: csci340user Password: csci340pass Personal mysql accounts have been
More informationError based SQL Injection in. Manish Kishan Tanwar From IndiShell Lab
Error based SQL Injection in Order By clause (MSSQL) March 26, 2018 Manish Kishan Tanwar From IndiShell Lab https://twitter.com/indishell1046 Table of Contents Acknowledgements...3 Introduction:.....4
More informationHow To Insert Data In Two Tables At A Time In Sql Server 2008
How To Insert Data In Two Tables At A Time In Sql Server 2008 Below is a similar example to my first INSERT statement, but this time I have left off the column list: With the introduction of SQL Server
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationSQL Injection: From Basics To Botnet-Based Attack Automation
SQL Injection: From Basics To Botnet-Based Attack Automation http://y Neil Daswani June 2008 Is the sky falling? ( 2007 TJX (March owns TJ Maxx, Marshalls, and other dept stores attacks exploited WEP used
More informationCSC369 Lecture 2. Larry Zhang
CSC369 Lecture 2 Larry Zhang 1 Announcements Lecture slides Midterm timing issue Assignment 1 will be out soon! Start early, and ask questions. We will have bonus for groups that finish early. 2 Assignment
More informationRelational Database Development
Instructor s Relational Database Development Views, Indexes & Security Relational Database Development 152-156 Views, Indexes & Security Quick Links & Text References View Description Pages 182 183 187
More informationCMSC 414 Computer and Network Security
CMSC 414 Computer and Network Security Buffer Overflows Dr. Michael Marsh August 30, 2017 Trust and Trustworthiness You read: Reflections on Trusting Trust (Ken Thompson), 1984 Smashing the Stack for Fun
More informationSql Server Check If Index Exists Information_schema >>>CLICK HERE<<<
Sql Server Check If Index Exists Information_schema Is there another way to check if table/column exists in SQL Server? pick them up, causing it to use the Clustered Index whenever a new column is added.
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationQuery To Find Table Name Using Column Name In Sql Server
Query To Find Table Name Using Column Name In Sql Server Is there a PostgreSQL query or command that returns the field names and field types of a query, table or view? E.g., a solution if applied to simple
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationDetecting Insider Attacks on Databases using Blockchains
Detecting Insider Attacks on Databases using Blockchains Shubham Sharma, Rahul Gupta, Shubham Sahai Srivastava and Sandeep K. Shukla Department of Computer Science and Engineering Indian Institute of Technology,
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationInstructor s Notes Web Data Management Web Client/Server Concepts. Web Data Management Web Client/Server Concepts
Instructor s Web Data Management Web Client/Server Concepts Web Data Management 152-155 Web Client/Server Concepts Quick Links & Text References Client / Server Concepts Pages 4 11 Web Data Mgt Software
More informationDaniel Pittman October 17, 2011
Daniel Pittman October 17, 2011 SELECT target-list FROM relation-list WHERE qualification target-list A list of attributes of relations in relation-list relation-list A list of relation names qualification
More informationSQL Injection Attack & Its Prevention
e-issn 2455 1392 Volume 2 Issue 6, June 2016 pp. 349 354 Scientific Journal Impact Factor : 3.468 http://www.ijcter.com SQL Injection Attack & Its Prevention Amey Anil Patil L.B.H.S.S.T s Institute Of
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationtablename ORDER BY column ASC tablename ORDER BY column DESC sortingorder, } The WHERE and ORDER BY clauses can be combined in one
} The result of a query can be sorted in ascending or descending order using the optional ORDER BY clause. The simplest form of an ORDER BY clause is SELECT columnname1, columnname2, FROM tablename ORDER
More informationAuditing The Oracle Database
Auditing The Oracle Database PFCATK A Toolkit to Help 1 Legal Notice Auditing The Oracle Database Published by PeteFinnigan.com Limited 9 Beech Grove Acomb York England, YO26 5LD Copyright 2017 by PeteFinnigan.com
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationServer-side Web Programming
Server-side Web Programming Lecture 12: Server-side Databases and Drivers Databases and E-Commerce Long term information stored in s Queries used to produce lists of products Never hardwired in! Generated
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationCisco Advanced Malware Protection (AMP) for Endpoints
Cisco Advanced Malware Protection (AMP) for Endpoints Endpoints continue to be the primary point of entry for attacks! 70% of breaches start on endpoint devices WHY? Gaps in protection Gaps in visibility
More informationWeb Application Attacks
Web Application Attacks What can an attacker do and just how hard is it? By Damon P. Cortesi IOActive, Inc. Comprehensive Computer Security Services www.ioactive.com cortesi:~
More informationSQL Fundamentals. Chapter 3. Class 03: SQL Fundamentals 1
SQL Fundamentals Chapter 3 Class 03: SQL Fundamentals 1 Class 03: SQL Fundamentals 2 SQL SQL (Structured Query Language): A language that is used in relational databases to build and query tables. Earlier
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More informationSQL INJECTION IN WEB APPLICATIONS By Roshmi Choudhury,Officer (IT) Numaligarh Refinery Limited
SQL INJECTION IN WEB APPLICATIONS By Roshmi Choudhury,Officer (IT) Numaligarh Refinery Limited Abstract It may be too late to shut the stable door after the horse has been stolen. Most companies in the
More informationSql Server Working With Schemas Vs Database Role Membership
Sql Server Working With Schemas Vs Database Role Membership This is the third installment in a series on assigning SQL Server permissions. In the understanding of how they work and how they sometimes inherit
More informationLaunch Your Virtual World Fast
Launch Your Virtual World Fast Learn how to build your own virtual world with free open source software Copyright 2009 by Michael McAnally, Document Version 1.0 June 30, 2009 Figure 1. Screen shot of a
More information[This link is no longer available because the program has changed.] II. Security Overview
Security ------------------- I. 2 Intro Examples II. Security Overview III. Server Security: Offense + Defense IV. Unix Security + POLP V. Example: OKWS VI. How to Build a Website I. Intro Examples --------------------
More informationWeb Security. Attacks on Servers 11/6/2017 1
Web Security Attacks on Servers 11/6/2017 1 Server side Scripting Javascript code is executed on the client side on a user s web browser Server side code is executed on the server side. The server side
More informationSecurity issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith
Security issues Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Criteria D3 D3 Recommend ways to improve web security when using web server scripting Clean browser input Don
More informationInventory your Data. PPDM Data Management Symposium June 2012
Inventory your Data PPDM Data Management Symposium June 2012 Recap PPDM Meta Model talks Practical Applications - June 2011 Know your Data Oct 2011 Group your Data March 2012 The vision: It will become
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationSecure Programming Lecture 8++: SQL Injection
Secure Programming Lecture 8++: SQL Injection David Aspinall, Informatics @ Edinburgh 9th February 2016 Outline Overview Other past attacks More examples Classification Injection route and motive Forms
More informationCSE 344: Section 1 Git Setup for HW Introduction to SQLite
CSE 344: Section 1 Git Setup for HW Introduction to SQLite 1 Git/Gitlab Walkthrough 2 Install and Configure Git Linux (Debian/Ubuntu): sudo apt-get update sudo apt-get install git Mac: http://git-scm.com/download/mac
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationOur sponsors Zequi V Autopsy of Vulnerabilities
Our sponsors Our sponsors Our sponsors About me Who s me? Ezequiel Zequi Vázquez Backend Developer Sysadmin & DevOps Hacking & Security Speaker since 2013 About me Index 1 Introduction 2 Analysis of Vulnerabilities
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationPrinciples of Designing Secure Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Principles of Designing Secure Systems CPEN 442 learning objectives explain the principles recognize the principles in real-world designs explain
More informationSQL Injec*on. By Robin Gonzalez
SQL Injec*on By Robin Gonzalez Some things that can go wrong Excessive and Unused Privileges Privilege Abuse Input Injec>on Malware Week Audit Trail Other things that can go wrong Storage Media Exposure
More informationParameter Sniffing Problem with Stored Procedures. Milos Radivojevic
Parameter Sniffing Problem with Stored Procedures Milos Radivojevic About Me DI Milos Radivojevic, Vienna, Austria Data Platform Architect Database Developer MCTS SQL Server Development Contact: MRadivojevic@SolidQ.com
More informationELEC 377 Operating Systems. Week 1 Class 2
Operating Systems Week 1 Class 2 Labs vs. Assignments The only work to turn in are the labs. In some of the handouts I refer to the labs as assignments. There are no assignments separate from the labs.
More informationInformation_schema Views And Identity Column Sql Server
Information_schema Views And Identity Column Sql Server Seven years ago, I wrote a blog post about - Query to Find Seed Values, Increment Values and Current Identity Column value of the table. It is quite
More informationCSE 344: Section 1 Git Setup for HW Introduction to SQLite. September 28, 2017
CSE 344: Section 1 Git Setup for HW Introduction to SQLite September 28, 2017 1 Administrivia HW1 due on GitLab on Tuesday, October 3rd at 11:00 P.M. WQ1 due on Gradiance on Friday, October 6th at 11:59
More informationStored procedures - what is it?
For a long time to suffer with this issue. Literature on the Internet a lot. I had to ask around at different forums, deeper digging in the manual and explain to himself some weird moments. So, short of
More information'information_schema' When Using Lock Tables
Access Denied For User To Database 'information_schema' When Using Lock Tables In this tutorial, we will show you how to import a MySQL Database using phpmyadmin. to database 'information_schema' when
More informationAdvanced Threat Hunting:
Advanced Threat Hunting: Identify and Track Adversaries Infiltrating Your Organization In Partnership with: Presented by: Randeep Gill Tony Shadrake Enterprise Security Engineer, Europe Regional Director,
More informationThe Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else
The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security,
More informationImmutable Server Generation. The New App Deployment. AXEL
Immutable Server Generation The New App Deployment AXEL FONTAINE @axelfontaine axel@boxfuse.com flywaydb.org boxfuse.com about questions POLL: which level of automation are you at? Build Unit Tests Continuous
More information