Benvenuto in Scribd!

Salta carosello

Preventing SQL Injection Attack: Nguyen Van Cuong

Caricato da

tieungunhi139

Il 0% ha trovato utile questo documento (0 voti)

15 visualizzazioni12 pagine

sql

Titolo originale

SQL Prevention

Copyright

Formati disponibili

PPTX, PDF, TXT o leggi online da Scribd

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Segnala questo documento

sql

Copyright:

Formati disponibili

Scarica in formato PPTX, PDF, TXT o leggi online su Scribd

Segnala contenuti inappropriati

Il 0% ha trovato utile questo documento (0 voti)

15 visualizzazioni12 pagine

Preventing SQL Injection Attack: Nguyen Van Cuong

Caricato da

tieungunhi139

sql

Copyright:

Formati disponibili

Scarica in formato PPTX, PDF, TXT o leggi online su Scribd

Segnala contenuti inappropriati

Salta alla pagina

Sei sulla pagina 1di 12

Cerca all'interno del documento

PREVENTING SQL

INJECTION ATTACK
Nguyen Van Cuong
Outline

Introduction
Some popular methods
A new approach
Introduction

Database: stores data (personal identity, credit card,

copyrighted material,) -> heart of website
SQL injection:
one of the most popular techniques to hack a website
exploits security weaknesses in a system
makes unexpected results
POPULAR METHODS
Amnesia

static analysis + run-time actions for Java-based applications

static analysis: model of expected queries
run-time actions: queries will be checked continuously
based on Java String Analysis
disadvantage: depends on the accuracy of static analysis
POPULAR METHODS
CANDID

short form of CANdidate evaluation for Discovering Intent

Dynamically
attacks: not only detected but also prevented automatically
mechanism: like word-prediction system in a smartphones
keyboard
problems solved by producing prepared statements
only partially works in all cases
POPULAR METHODS
WASP

short form of Web Applications Using Positive Tainting and

Syntax-Aware Evaluation
java library to transform complied code to keep track of taint
data prevented by using syntax-aware evaluation
MetaStrings library: integrated into a web application
needs a reliable external data resources
A NEW APPROACH
Table 1: Comparison of Techniques with Respect to SQL Injection Attack Types [4], [5]

Technique Tautologies Illegal/ Piggy- Union Stored Inference Alternate

Incorrect back Procedures Encodings
Queries

Amnesia ok ok ok ok fail ok ok

CANDID partial partial partial partial partial partial partial

Tainting partial partial partial partial partial partial partial

(WASP)
A NEW APPROACH

mentioned approaches:
errors can be detected only at runtime
hidden error or blocking valid queries
models: tightly fit to the applications

-> considerable human effort and significant expertise

A NEW APPROACH

New approach: Platform-level protection method

web application firewall: control and balance the flow of
information
plug-in for web server: more protection tasks, run faster
add a module to framework: solve request from clients
REFERENCES
1. William G.J. Halfond, Alessandro Orso, Panagiotis Manolios. WASP: Protecting Web
Applications Using Positive Tainting and Syntax-Aware Evaluation [online IEEE
transactions on software engineering; January/February 2008.
URL:http://ieeexplore.ieee.org.ezproxy.metropolia.fi/xpls/icp.jsp?arnumber=4359474.
Accessed 12 March 2015.

2. Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, V. N. Venkatakrishnan. CANDID: pre-

venting sql injection attacks using dynamic candidate evaluations [online]. New York,
ACM New York; October 2007. URL:http://dl.acm.org.ezproxy.metropolia.fi/citation.cfm?
id=1315245.1315249&coll=DL&dl=ACM&CFID=636147638&CFTOKEN=79427405.
Accessed 12 March 2015.

3. William G.J. Halfond, Alessandro Orso. WASP: Preventing SQL injection attacks using
AMNESIA [online]. New York, ACM New York; May 2006.
URL:http://dl.acm.org.ezproxy.metropolia.fi/citation.cfm?
id=1134285.1134416&coll=DL&dl=ACM&CFID=636147638&CFTOKEN=79427405.
Accessed 12 March 2015.
REFERENCES
4. William G.J. Halfond, Jeremy Viegas, Alessandro Orso. A Classification of SQL
Injection Attacks and Countermeasures [online]. Atlanta, Georgia Institute of
Technology.
URL:http://www.cc.gatech.edu/fac/Alex.Orso/papers/halfond.viegas.orso.ISSSE06.
pdf. Accessed 12 March 2015.

5. Z. Lashkaripour, A. Ghaemi Bafghi. A Simple and Fast Technique for Detection and
Prevention of SQL Injection Attacks (SQLIAs) [online]. International Journal of
Security and Its Applications, Vol.7, No.5 (2013), pp.53-66.
URL:http://www.sersc.org/journals/IJSIA/vol7_no5_2013/5_2.pdf. Accessed 12
March 2015.
THANK YOU!

Potrebbero piacerti anche

Web Penetration Testing with Kali Linux - Second Edition
Da Everand
Web Penetration Testing with Kali Linux - Second Edition
Ansari Juned Ahmed
Nessuna valutazione finora
FInal
Documento9 pagine
FInal
Vivek JD
Nessuna valutazione finora
Web Goat
Documento73 pagine
Web Goat
Jun Woo Shim
Nessuna valutazione finora
60 Website Vulnerability Scanning System Using Python PY060
Documento7 pagine
60 Website Vulnerability Scanning System Using Python PY060
VijayKumar Lokanadam
Nessuna valutazione finora
AJP Report 51
Documento47 pagine
AJP Report 51
Rohit Gadekar
Nessuna valutazione finora
PY060
Documento7 pagine
PY060
Rohi shewalkar
Nessuna valutazione finora
Vulnerability Assessment & Penetration Testing (VAPT) Basics & Methodologies
Documento17 pagine
Vulnerability Assessment & Penetration Testing (VAPT) Basics & Methodologies
Yonas Mengistu
Nessuna valutazione finora
Ebug Final
Documento25 pagine
Ebug Final
vikramgandhi89
Nessuna valutazione finora
Easychair Preprint: Mohit Pankaj and Prabhash Kumar
Documento5 pagine
Easychair Preprint: Mohit Pankaj and Prabhash Kumar
jun mark
Nessuna valutazione finora
Sample Project Synopsis
Documento31 pagine
Sample Project Synopsis
Hariom
Nessuna valutazione finora
Praveen
Documento3 pagine
Praveen
saipraveen5b5
Nessuna valutazione finora
Reva Parikshak Online Examination System
Documento30 pagine
Reva Parikshak Online Examination System
Sandesh Sv
Nessuna valutazione finora
Mini Project
Documento20 pagine
Mini Project
Murtaza Burhani
Nessuna valutazione finora
Siddharth Institute of Engineering and Technology
Documento27 pagine
Siddharth Institute of Engineering and Technology
Binny Dara
Nessuna valutazione finora
Vulnerability Assessment and Penetration Testing
Documento25 pagine
Vulnerability Assessment and Penetration Testing
Yonas Mengistu
Nessuna valutazione finora
Project Report: Bachelor of Engineering
Documento23 pagine
Project Report: Bachelor of Engineering
sky
Nessuna valutazione finora
Face Detection
Documento23 pagine
Face Detection
nimarose 11
75% (4)
Binjal Patel: M.S. in Computer Science, May 2020
Documento2 pagine
Binjal Patel: M.S. in Computer Science, May 2020
Andy Patel
Nessuna valutazione finora
Web-Based Face Recognition Attendance System
Documento13 pagine
Web-Based Face Recognition Attendance System
Kazi Mahbubur Rahman
Nessuna valutazione finora
Ranjith S A .
Documento4 pagine
Ranjith S A .
Manoj kumar
Nessuna valutazione finora
(7887) Web Based Database and SMS To Facilitate Health Care
Documento7 pagine
(7887) Web Based Database and SMS To Facilitate Health Care
biswajit biswal
Nessuna valutazione finora
Domain 4
Documento8 pagine
Domain 4
Hossam Eissa
Nessuna valutazione finora
A Particle Swarm Optimized Learning Model of Fault Classification in Web-Apps
Documento10 pagine
A Particle Swarm Optimized Learning Model of Fault Classification in Web-Apps
Krishna Kumar
Nessuna valutazione finora
AnitaB Atlanta CyberSecurity Weekend Rana Khalil
Documento56 pagine
AnitaB Atlanta CyberSecurity Weekend Rana Khalil
gileyo
Nessuna valutazione finora
Face Recognition Based Attendance System
Documento38 pagine
Face Recognition Based Attendance System
Tyler Durden
Nessuna valutazione finora
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Documento49 pagine
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Akki ash
Nessuna valutazione finora
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Documento49 pagine
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Akki ash
Nessuna valutazione finora
Automated Invigilation Assignment System: Project ON
Documento25 pagine
Automated Invigilation Assignment System: Project ON
ARCHANA
Nessuna valutazione finora
Intro - Web and Application Security
Documento21 pagine
Intro - Web and Application Security
Heenisha Lachemykanden
Nessuna valutazione finora
Online Ethical Hacking Training Learn To Hack and Secure Web Applications Duration: 6 Weeks - Certified Training
Documento3 pagine
Online Ethical Hacking Training Learn To Hack and Secure Web Applications Duration: 6 Weeks - Certified Training
Praful Konjerla
Nessuna valutazione finora
Web AppSec Expert L 14-16 May 2024 L Parkroyal Hotel KL
Documento5 pagine
Web AppSec Expert L 14-16 May 2024 L Parkroyal Hotel KL
nicholas
Nessuna valutazione finora
OWASP Stammtisch Frankfurt - Web Application Firewall Bypassing - How To Defeat The Blue Team - 2015.10.29
Documento50 pagine
OWASP Stammtisch Frankfurt - Web Application Firewall Bypassing - How To Defeat The Blue Team - 2015.10.29
yshprasd
Nessuna valutazione finora
Jaydeep Patil 9518557084
Documento1 pagina
Jaydeep Patil 9518557084
wupu
Nessuna valutazione finora
Intro To Software Engg.: Fuuast
Documento10 pagine
Intro To Software Engg.: Fuuast
Syeda Aliya Tanveer
Nessuna valutazione finora
AprOwasp LOD FER WAL NewVersion
Documento68 pagine
AprOwasp LOD FER WAL NewVersion
Rohit Khurana
Nessuna valutazione finora
AppSec2005DC-Dan Cuthbert-Evolution of App Pen Testing
Documento23 pagine
AppSec2005DC-Dan Cuthbert-Evolution of App Pen Testing
api-3781846
Nessuna valutazione finora
Online Blood Bank System Synopsis
Documento30 pagine
Online Blood Bank System Synopsis
Vipul Rajput
Nessuna valutazione finora
Detecting Web
Documento5 pagine
Detecting Web
Junliegh permison
Nessuna valutazione finora
Presentation
Documento34 pagine
Presentation
Geroncia Laya
Nessuna valutazione finora
Development of A Pharmacy Management Online System For Zapanta Pharmacy
Documento6 pagine
Development of A Pharmacy Management Online System For Zapanta Pharmacy
Bea Louraine Rivera
Nessuna valutazione finora
Can (Automated) Testing Tools Really Find The OWASP Top 10?
Documento24 pagine
Can (Automated) Testing Tools Really Find The OWASP Top 10?
Sai Kiran
Nessuna valutazione finora
Capstone Presentation
Documento13 pagine
Capstone Presentation
Niel Ivan Montesa
Nessuna valutazione finora
Naukri PASUPULETIBHARATH 15398944 - 07 03 - 1
Documento6 pagine
Naukri PASUPULETIBHARATH 15398944 - 07 03 - 1
aravind563
Nessuna valutazione finora
Unit I Software Product and Process 1.0 Software
Documento18 pagine
Unit I Software Product and Process 1.0 Software
Anurag Singh
Nessuna valutazione finora
Software Engineering
Documento134 pagine
Software Engineering
vibio
Nessuna valutazione finora
1 Running Head: Online Examination System Project Report
Documento11 pagine
1 Running Head: Online Examination System Project Report
Ahmer Farooq
Nessuna valutazione finora
YGP BlackBook
Documento53 pagine
YGP BlackBook
Vishal Mane
Nessuna valutazione finora
Software Testing Microproject
Documento15 pagine
Software Testing Microproject
khenatavishkar
Nessuna valutazione finora
Owasp Final
Documento131 pagine
Owasp Final
jankoval
Nessuna valutazione finora
Online Bus Reservation System
Documento7 pagine
Online Bus Reservation System
Gabriel ANGEL
Nessuna valutazione finora
813 Presentation 15
Documento32 pagine
813 Presentation 15
shunsuke2412000
Nessuna valutazione finora
Curriculum-Vitae: Hemant Kumar Sharma
Documento13 pagine
Curriculum-Vitae: Hemant Kumar Sharma
Hemant Sharma
Nessuna valutazione finora
Covid Testing Management System
Documento28 pagine
Covid Testing Management System
PATIREDDY MANEESHA
Nessuna valutazione finora
Owasp Top 10
Documento41 pagine
Owasp Top 10
Nebula Bots
Nessuna valutazione finora
SnehaUike Resume
Documento1 pagina
SnehaUike Resume
sneha uike
Nessuna valutazione finora
Fuzzy Detection of Malicious Attacks On Web Applic
Documento8 pagine
Fuzzy Detection of Malicious Attacks On Web Applic
Pramono Pramono
Nessuna valutazione finora
Testing Web Applications: Muhammad Umair Naru
Documento29 pagine
Testing Web Applications: Muhammad Umair Naru
Naveed Shah
Nessuna valutazione finora
MCQWeb App
Documento3 pagine
MCQWeb App
Rupesh Bavge
Nessuna valutazione finora
Adikavi Nannaya University: University College of Engineering Rajamahendravaram
Documento11 pagine
Adikavi Nannaya University: University College of Engineering Rajamahendravaram
Vishnu Vardhan Creations
Nessuna valutazione finora
STUDENT File: Project Report On
Documento59 pagine
STUDENT File: Project Report On
Gaurav Kumar
Nessuna valutazione finora
University of Helsinki Recovery Plan
Documento1 pagina
University of Helsinki Recovery Plan
tieungunhi139
Nessuna valutazione finora
Paid Social Media Advertising in Modern Business COM8HH010-3004 (25.3. - 5.5. 2019)
Documento4 pagine
Paid Social Media Advertising in Modern Business COM8HH010-3004 (25.3. - 5.5. 2019)
tieungunhi139
Nessuna valutazione finora
Thesis Approval Process:: IT: Bachelors Degree
Documento1 pagina
Thesis Approval Process:: IT: Bachelors Degree
tieungunhi139
Nessuna valutazione finora
4 E21 5 Ettleplan: 1 Cloubi 2 Cloudstreet 3 CSC
Documento4 pagine
4 E21 5 Ettleplan: 1 Cloubi 2 Cloudstreet 3 CSC
tieungunhi139
Nessuna valutazione finora
Akdq PDF
Documento2 pagine
Akdq PDF
tieungunhi139
Nessuna valutazione finora
Lukkari T
Documento3 pagine
Lukkari T
tieungunhi139
Nessuna valutazione finora
Academic Vocabulary in Use Edition With Answers Vocabulary in Use
Documento178 pagine
Academic Vocabulary in Use Edition With Answers Vocabulary in Use
Rūta Ramanauskaitė
Nessuna valutazione finora
Cloud Aneka
Documento34 pagine
Cloud Aneka
tieungunhi139
Nessuna valutazione finora
Software Production: Software Requirements Visually Modeling Use Cases With Activity Diagrams
Documento20 pagine
Software Production: Software Requirements Visually Modeling Use Cases With Activity Diagrams
tieungunhi139
Nessuna valutazione finora
C4 Vectors - Vector Lines PDF
Documento33 pagine
C4 Vectors - Vector Lines PDF
Mohsin Naveed
Nessuna valutazione finora
Gomez-Acevedo 2010 Neotropical Mutualism Between Acacia and Pseudomyrmex Phylogeny and Divergence Times
Documento16 pagine
Gomez-Acevedo 2010 Neotropical Mutualism Between Acacia and Pseudomyrmex Phylogeny and Divergence Times
TheChaoticFlame
Nessuna valutazione finora
Chapter 1
Documento6 pagine
Chapter 1
Grandmaster Meow
Nessuna valutazione finora
Beyond "The Arc of Freedom and Prosperity": Debating Universal Values in Japanese Grand Strategy
Documento9 pagine
Beyond "The Arc of Freedom and Prosperity": Debating Universal Values in Japanese Grand Strategy
German Marshall Fund of the United States
Nessuna valutazione finora
CS8CHP Eletrical
Documento52 pagine
CS8CHP Eletrical
Cristian ricardo russo
Nessuna valutazione finora
Project Document Ei
Documento66 pagine
Project Document Ei
Prathap Reddy
Nessuna valutazione finora
List of Sovereign States and Dependent Territories by Birth Rate
Documento7 pagine
List of Sovereign States and Dependent Territories by Birth Rate
Luminita Cocos
Nessuna valutazione finora
Prospekt Puk U5 en Mail 1185
Documento8 pagine
Prospekt Puk U5 en Mail 1185
sakthivel
Nessuna valutazione finora
Agency Canvas Ing Presentation
Documento27 pagine
Agency Canvas Ing Presentation
khushi jaiswal
Nessuna valutazione finora
Toh MFS8B 98B 003-11114-3AG1 PDF
Documento92 pagine
Toh MFS8B 98B 003-11114-3AG1 PDF
Dmitry Nemtsoff
Nessuna valutazione finora
EVOM Manual
Documento2 pagine
EVOM Manual
Houston White
Nessuna valutazione finora
Current Concepts in Elbow Fracture Dislocation: Adam C Watts, Jagwant Singh, Michael Elvey and Zaid Hamoodi
Documento8 pagine
Current Concepts in Elbow Fracture Dislocation: Adam C Watts, Jagwant Singh, Michael Elvey and Zaid Hamoodi
João Artur Bonadiman
Nessuna valutazione finora
10 Killer Tips For Transcribing Jazz Solos - Jazz Advice
Documento21 pagine
10 Killer Tips For Transcribing Jazz Solos - Jazz Advice
cdmb
100% (2)
Forex Day Trading System
Documento17 pagine
Forex Day Trading System
Social Malik
100% (1)
Hydro Electric Fire History
Documento3 pagine
Hydro Electric Fire History
gdmurf
Nessuna valutazione finora
Gracie Warhurst Warhurst
Documento1 pagina
Gracie Warhurst Warhurst
api-439916871
Nessuna valutazione finora
UM-140-D00221-07 SeaTrac Developer Guide (Firmware v2.4)
Documento154 pagine
UM-140-D00221-07 SeaTrac Developer Guide (Firmware v2.4)
Antony Jacob Ashish
Nessuna valutazione finora
TFG
Documento46 pagine
TFG
Alex Gigena
50% (2)
Bandhan Neft Rtgs Form
Documento2 pagine
Bandhan Neft Rtgs Form
Mohit Goyal
50% (4)
Alkosign Product Cataloge
Documento20 pagine
Alkosign Product Cataloge
Shree Agrawal
Nessuna valutazione finora
1B20 40
Documento4 pagine
1B20 40
Electrival Tcataller
Nessuna valutazione finora
Intelligent Design
Documento21 pagine
Intelligent Design
Dan W Reynolds
Nessuna valutazione finora
Conservation Assignment 02
Documento16 pagine
Conservation Assignment 02
RAJU VENKATA
Nessuna valutazione finora
S4 HANALicensing Model External V19
Documento28 pagine
S4 HANALicensing Model External V19
Edir Junior
Nessuna valutazione finora
Contoh Discussion Text Tentang Homework
Documento8 pagine
Contoh Discussion Text Tentang Homework
g3p35rs6
100% (1)
Transportasi Distribusi Migas
Documento25 pagine
Transportasi Distribusi Migas
Dian Permatasari
100% (1)
Smart Protein Plant Based Food Sector Report 2
Documento199 pagine
Smart Protein Plant Based Food Sector Report 2
campeon00magnates
Nessuna valutazione finora
Financial Management 2E: Rajiv Srivastava - Dr. Anil Misra Solutions To Numerical Problems
Documento5 pagine
Financial Management 2E: Rajiv Srivastava - Dr. Anil Misra Solutions To Numerical Problems
Paresh Shah
Nessuna valutazione finora
Math 9 Quiz 4
Documento3 pagine
Math 9 Quiz 4
Lin Sisomboun
Nessuna valutazione finora
The Privatization Policy
Documento14 pagine
The Privatization Policy
RIBLEN EDORINA
Nessuna valutazione finora