SlideShare a Scribd company logo

Computer security Description about SQL-Injection and SYN attacks

Download as pptx, pdf
T
Tesfahunegn Minwuyelet

I hope this helpes you to know more about what is SQL-injection and SYN attack and SYN foolds this present with there description also how to prvent this attacks.

1 of 21
Download to read offline
Slide 1 Bahir Dar University Bahir Dar institute of technology Faculty of computing Department of computer science 4th year Section B Computer Security Assignment Presentation BY:-Tesfahunegn Minwuyelet S Date of Submission: 09/11/2016 GC.
Slide 2 SQL injection and SYN Attack Contents SQL injection Types of SQL injection (SQLi) Parameters to protection SYN Attack SYN flood defence categories 10 Hacks that made headlines
Slide 3 SQL Injection  is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.  Injected SQL commands can alter SQL statement and compromise the security of a web application.  is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).  consists of insertion or "injection" of a SQL query via the input data from the client to the application.  The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger was somewhat limited because an exploit had to be carried out manually: an attacker had to actually type their SQL statement into a text box.
Slide 4 Types of SQL injection  SQL Injection can be used in a range of ways to cause serious problems. By levering SQL Injection, an attacker could bypass authentication, access, modify and delete data within a database. In some cases, SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to more damaging attacks inside of a network that sits behind a firewall.  There are three types of SQLI  In-band SQLi(Classic SQLI)  Inferential SQLI  Out-of –band SQLI
Slide 5 In-band sqli(classic sql)  is the most common and easy-to-exploit of SQL Injection attacks.  it occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.  The two most common types of in-band SQL Injection are  Error-based SQLi  Union-based SQLi
Slide 6 Error-based SQLi  is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database.  In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.  While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.
Slide 7 Union-based SQLi  Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response
Slide 8 Inferential sqli (Blind sqli)  unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection  commonly referred to as “blind SQ , no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band L Injection attacks” because  The two types of inferential SQL Injection are  Blind-boolean-based SQLi  Blind-time-based SQLi.
Slide 9 Blind-boolean-based SQLi  technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.  even though no data from the database is returned.  This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
Slide 10 Blind-time-based SQLi  that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.  even though no data from the database is returned.  This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
Slide 11 Out-of-band SQLi  is not very common, mostly because it depends on features being enabled on the database server being used by the web application  It occurs when an attacker is unable to use the same channel to launch the attack and gather results.  would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker  Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.
Slide 12  SQL Injection Based on 1=1 is Always True  SQL Injection Based on ""="" is Always True  SQL Injection Based on Batched SQL Statements  Parameters for protection  Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks. This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input. (In fact, it should be perfectly legal to input an SQL statement in a database field.) The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
Slide 13 SYN Attack  A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.  A SYN attack is a type of denial-of-service (DoS) attack in which an attacker utilizes the communication protocol of the Internet  For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address.  Because the target machine doesn't receive a response from the attacking machine, it attempts to resend the SYN-ACK five times, at 3-, 6-, 12-, 24-, and 48-second intervals, before un allocating the resources 96 seconds after attempting the last retry
Slide 14 Continue…  The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The third part of the TCP three- way handshake is not executed  The source address of these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result, it is impossible to find the attacking computer.
Slide 15 SYN flood defense categories  Firewall based • Examples: SYN Defender, SYN proxying • Filters packets and requests before router • Maintains state for each connection • Drawbacks: can be overloaded, extra delay for processing each packet
Slide 16 Continue…  Server Based • Examples: SYN Cache, SYN cookies • SYN cache receives packets first and then uses a hash table, to partially store states, • Removes the need to watch half open connections • Implemented in LINUX
Slide 17 Continue…  SYN kill  SYN kill monitors the network and if it detects SYNs that are not being acknowledge.  It automatically generates RST packets to free  It automatically generates RST packets to free resources,  It classifies addresses as likely to be spoofed or legitimate…
Slide 18 Continue…  MULTOPS  Monitors the packets going to and from a victim  Blocks IPs from outside of network…  limiting IP range of attack.
Slide 19 Continue…  Route-based Distributed Packet filtering  Uses packet information to determine if packet arriving at router has a spoofed Source /Destination addresses  Results show many packets can be filtered and those that can’t can be traced back easily
Slide 20 10 HACKS THAT MADE HEADLINES  Markus Hess hacks on behalf of the KGB  Robert Morris hacks the internet  Vladimir Levin hacks Citibank  Jonathon James hacks NASA  Adrian Lamo hacks the New York Times  Gary McKinnon hacks the US military  Albert Gonzalez hacks TJX (and many more)  Anonymous hacks HB Gary  Lulzsec hacks Sony  News of the World hacking scandal
Slide 21 Thanks!!
Ad

Recommended

1738 1742
1738 17421738 1742
1738 1742
Editor IJARCET
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
Automated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation VulnerabilitiesAutomated Detection of Session Fixation Vulnerabilities
Automated Detection of Session Fixation Vulnerabilities
Yuji Kosuga
 
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Inje...
Yuji Kosuga
 
50063
5006350063
50063
Rui Dong
 
44641917 091011
44641917 09101144641917 091011
44641917 091011
pratibha1489
 
Analysis on Common Network Attacks & Vulnerability Scanners
Analysis on Common Network Attacks & Vulnerability ScannersAnalysis on Common Network Attacks & Vulnerability Scanners
Analysis on Common Network Attacks & Vulnerability Scanners
PROBOTEK
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
Chema Alonso
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
ijiert bestjournal
 
Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide
Protect724manoj
 
Sql injection & command injection
Sql injection & command injectionSql injection & command injection
Sql injection & command injection
Lahore Garrison University
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Zeus Software Security Technology
Zeus Software Security TechnologyZeus Software Security Technology
Zeus Software Security Technology
Alex G. Lee, Ph.D. Esq. CLP
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draft
idsecconf
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Sql injection
Sql injectionSql injection
Sql injection
Manjushree Mashal
 
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
PROBOTEK
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
ENGS4851_Final_Certified_Report
ENGS4851_Final_Certified_ReportENGS4851_Final_Certified_Report
ENGS4851_Final_Certified_Report
Nagendra Posani
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
Ijmet 10 02_045
Ijmet 10 02_045Ijmet 10 02_045
Ijmet 10 02_045
IAEME Publication
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Ad

More Related Content

What's hot (19)

Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
Chema Alonso
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
ijiert bestjournal
 
Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide
Protect724manoj
 
Sql injection & command injection
Sql injection & command injectionSql injection & command injection
Sql injection & command injection
Lahore Garrison University
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Zeus Software Security Technology
Zeus Software Security TechnologyZeus Software Security Technology
Zeus Software Security Technology
Alex G. Lee, Ph.D. Esq. CLP
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draft
idsecconf
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Sql injection
Sql injectionSql injection
Sql injection
Manjushree Mashal
 
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
PROBOTEK
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
ENGS4851_Final_Certified_Report
ENGS4851_Final_Certified_ReportENGS4851_Final_Certified_Report
ENGS4851_Final_Certified_Report
Nagendra Posani
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
Ijmet 10 02_045
Ijmet 10 02_045Ijmet 10 02_045
Ijmet 10 02_045
IAEME Publication
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
Chema Alonso
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
ijiert bestjournal
 
Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide Brute Force Attack Security Use Case Guide
Brute Force Attack Security Use Case Guide
Protect724manoj
 
Sql injection & command injection
Sql injection & command injectionSql injection & command injection
Sql injection & command injection
Lahore Garrison University
 
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
ImageSubXSS: an image substitute technique to prevent Cross-Site Scripting at...
IJECEIAES
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
Chema Alonso
 
Zeus Software Security Technology
Zeus Software Security TechnologyZeus Software Security Technology
Zeus Software Security Technology
Alex G. Lee, Ph.D. Esq. CLP
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draft
idsecconf
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Sql injection
Sql injectionSql injection
Sql injection
Manjushree Mashal
 
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...Kingston University Thesis - Design and Implementation of a Secure Web Applic...
Kingston University Thesis - Design and Implementation of a Secure Web Applic...
PROBOTEK
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
ENGS4851_Final_Certified_Report
ENGS4851_Final_Certified_ReportENGS4851_Final_Certified_Report
ENGS4851_Final_Certified_Report
Nagendra Posani
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
Ijmet 10 02_045
Ijmet 10 02_045Ijmet 10 02_045
Ijmet 10 02_045
IAEME Publication
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Aaron ND Sawmadal
 

Similar to Computer security Description about SQL-Injection and SYN attacks (20)

Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
TELKOMNIKA JOURNAL
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
Op2423922398
Op2423922398Op2423922398
Op2423922398
IJERA Editor
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the Threats
InsecureLab
 
1738 1742
1738 17421738 1742
1738 1742
Editor IJARCET
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
E017131924E017131924
E017131924
IOSR Journals
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
ijsrd.com
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018
Editor IJCATR
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
Nicole Bili?
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
IRJET Journal
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
Ravindra Singh Rathore
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention
Rejaul Islam Royel
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions www.ijeijournal.com
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
Security vulnerabilities related to web-based data
Security vulnerabilities related to web-based dataSecurity vulnerabilities related to web-based data
Security vulnerabilities related to web-based data
TELKOMNIKA JOURNAL
 
Sql injection
Sql injectionSql injection
Sql injection
Suraj Tiwari
 
Op2423922398
Op2423922398Op2423922398
Op2423922398
IJERA Editor
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
SQL Injection: Unraveling the Threats
SQL Injection: Unraveling the ThreatsSQL Injection: Unraveling the Threats
SQL Injection: Unraveling the Threats
InsecureLab
 
1738 1742
1738 17421738 1742
1738 1742
Editor IJARCET
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
IOSR Journals
 
E017131924
E017131924E017131924
E017131924
IOSR Journals
 
GreenSQL Security
GreenSQL Security GreenSQL Security
GreenSQL Security
ijsrd.com
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
Moutasm Tamimi
 
Ijcatr04041018
Ijcatr04041018Ijcatr04041018
Ijcatr04041018
Editor IJCATR
 
Ad

Recently uploaded (20)

LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2
LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2
LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2
LDM & Mia eStudios
 
IMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERS
IMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERSIMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERS
IMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERS
rajaselviazhagiri1
 
How to Manage Manual Reordering Rule in Odoo 18 Inventory
How to Manage Manual Reordering Rule in Odoo 18 InventoryHow to Manage Manual Reordering Rule in Odoo 18 Inventory
How to Manage Manual Reordering Rule in Odoo 18 Inventory
Celine George
 
How to Use Upgrade Code Command in Odoo 18
How to Use Upgrade Code Command in Odoo 18How to Use Upgrade Code Command in Odoo 18
How to Use Upgrade Code Command in Odoo 18
Celine George
 
COPA Apprentice exam Questions and answers PDF
COPA Apprentice exam Questions and answers PDFCOPA Apprentice exam Questions and answers PDF
COPA Apprentice exam Questions and answers PDF
SONU HEETSON
 
E-Filing_of_Income_Tax.pptx and concept of form 26AS
E-Filing_of_Income_Tax.pptx and concept of form 26ASE-Filing_of_Income_Tax.pptx and concept of form 26AS
E-Filing_of_Income_Tax.pptx and concept of form 26AS
Abinash Palangdar
 
Classification of mental disorder in 5th semester bsc. nursing and also used ...
Classification of mental disorder in 5th semester bsc. nursing and also used ...Classification of mental disorder in 5th semester bsc. nursing and also used ...
Classification of mental disorder in 5th semester bsc. nursing and also used ...
parmarjuli1412
 
CNS infections (encephalitis, meningitis & Brain abscess
CNS infections (encephalitis, meningitis & Brain abscessCNS infections (encephalitis, meningitis & Brain abscess
CNS infections (encephalitis, meningitis & Brain abscess
Mohamed Rizk Khodair
 
INSULIN.pptx by Arka Das (Bsc. Critical care technology)
INSULIN.pptx by Arka Das (Bsc. Critical care technology)INSULIN.pptx by Arka Das (Bsc. Critical care technology)
INSULIN.pptx by Arka Das (Bsc. Critical care technology)
ArkaDas54
 
How to Configure Extra Steps During Checkout in Odoo 18 Website
How to Configure Extra Steps During Checkout in Odoo 18 WebsiteHow to Configure Extra Steps During Checkout in Odoo 18 Website
How to Configure Extra Steps During Checkout in Odoo 18 Website
Celine George
 
How to Manage Amounts in Local Currency in Odoo 18 Purchase
How to Manage Amounts in Local Currency in Odoo 18 PurchaseHow to Manage Amounts in Local Currency in Odoo 18 Purchase
How to Manage Amounts in Local Currency in Odoo 18 Purchase
Celine George
 
Search Matching Applicants in Odoo 18 - Odoo Slides
Search Matching Applicants in Odoo 18 - Odoo SlidesSearch Matching Applicants in Odoo 18 - Odoo Slides
Search Matching Applicants in Odoo 18 - Odoo Slides
Celine George
 
libbys peer assesment.docx..............
libbys peer assesment.docx..............libbys peer assesment.docx..............
libbys peer assesment.docx..............
19lburrell
 
U3 ANTITUBERCULAR DRUGS Pharmacology 3.pptx
U3 ANTITUBERCULAR DRUGS Pharmacology 3.pptxU3 ANTITUBERCULAR DRUGS Pharmacology 3.pptx
U3 ANTITUBERCULAR DRUGS Pharmacology 3.pptx
Mayuri Chavan
 
Module_2_Types_and_Approaches_of_Research (2).pptx
Module_2_Types_and_Approaches_of_Research (2).pptxModule_2_Types_and_Approaches_of_Research (2).pptx
Module_2_Types_and_Approaches_of_Research (2).pptx
drroxannekemp
 
Origin of Brahmi script: A breaking down of various theories
Origin of Brahmi script: A breaking down of various theoriesOrigin of Brahmi script: A breaking down of various theories
Origin of Brahmi script: A breaking down of various theories
PrachiSontakke5
 
Module 1: Foundations of Research
Module 1: Foundations of ResearchModule 1: Foundations of Research
Module 1: Foundations of Research
drroxannekemp
 
How To Maximize Sales Performance using Odoo 18 Diverse views in sales module
How To Maximize Sales Performance using Odoo 18 Diverse views in sales moduleHow To Maximize Sales Performance using Odoo 18 Diverse views in sales module
How To Maximize Sales Performance using Odoo 18 Diverse views in sales module
Celine George
 
Look Up, Look Down: Spotting Local History Everywhere
Look Up, Look Down: Spotting Local History EverywhereLook Up, Look Down: Spotting Local History Everywhere
Look Up, Look Down: Spotting Local History Everywhere
History of Stoke Newington
 
MCQS (EMERGENCY NURSING) DR. NASIR MUSTAFA
MCQS (EMERGENCY NURSING) DR. NASIR MUSTAFAMCQS (EMERGENCY NURSING) DR. NASIR MUSTAFA
MCQS (EMERGENCY NURSING) DR. NASIR MUSTAFA
Dr. Nasir Mustafa
 
LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2
LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2
LDMMIA Reiki Yoga S6 Free Workshop Money Pt 2
LDM & Mia eStudios
 
IMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERS
IMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERSIMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERS
IMPACT_OF_SOCIAL-MEDIA- AMONG- TEENAGERS
rajaselviazhagiri1
 
How to Manage Manual Reordering Rule in Odoo 18 Inventory
How to Manage Manual Reordering Rule in Odoo 18 InventoryHow to Manage Manual Reordering Rule in Odoo 18 Inventory
How to Manage Manual Reordering Rule in Odoo 18 Inventory
Celine George
 
How to Use Upgrade Code Command in Odoo 18
How to Use Upgrade Code Command in Odoo 18How to Use Upgrade Code Command in Odoo 18
How to Use Upgrade Code Command in Odoo 18
Celine George
 
COPA Apprentice exam Questions and answers PDF
COPA Apprentice exam Questions and answers PDFCOPA Apprentice exam Questions and answers PDF
COPA Apprentice exam Questions and answers PDF
SONU HEETSON
 
E-Filing_of_Income_Tax.pptx and concept of form 26AS
E-Filing_of_Income_Tax.pptx and concept of form 26ASE-Filing_of_Income_Tax.pptx and concept of form 26AS
E-Filing_of_Income_Tax.pptx and concept of form 26AS
Abinash Palangdar
 
Classification of mental disorder in 5th semester bsc. nursing and also used ...
Classification of mental disorder in 5th semester bsc. nursing and also used ...Classification of mental disorder in 5th semester bsc. nursing and also used ...
Classification of mental disorder in 5th semester bsc. nursing and also used ...
parmarjuli1412
 
CNS infections (encephalitis, meningitis & Brain abscess
CNS infections (encephalitis, meningitis & Brain abscessCNS infections (encephalitis, meningitis & Brain abscess
CNS infections (encephalitis, meningitis & Brain abscess
Mohamed Rizk Khodair
 
INSULIN.pptx by Arka Das (Bsc. Critical care technology)
INSULIN.pptx by Arka Das (Bsc. Critical care technology)INSULIN.pptx by Arka Das (Bsc. Critical care technology)
INSULIN.pptx by Arka Das (Bsc. Critical care technology)
ArkaDas54
 
How to Configure Extra Steps During Checkout in Odoo 18 Website
How to Configure Extra Steps During Checkout in Odoo 18 WebsiteHow to Configure Extra Steps During Checkout in Odoo 18 Website
How to Configure Extra Steps During Checkout in Odoo 18 Website
Celine George
 
How to Manage Amounts in Local Currency in Odoo 18 Purchase
How to Manage Amounts in Local Currency in Odoo 18 PurchaseHow to Manage Amounts in Local Currency in Odoo 18 Purchase
How to Manage Amounts in Local Currency in Odoo 18 Purchase
Celine George
 
Search Matching Applicants in Odoo 18 - Odoo Slides
Search Matching Applicants in Odoo 18 - Odoo SlidesSearch Matching Applicants in Odoo 18 - Odoo Slides
Search Matching Applicants in Odoo 18 - Odoo Slides
Celine George
 
libbys peer assesment.docx..............
libbys peer assesment.docx..............libbys peer assesment.docx..............
libbys peer assesment.docx..............
19lburrell
 
U3 ANTITUBERCULAR DRUGS Pharmacology 3.pptx
U3 ANTITUBERCULAR DRUGS Pharmacology 3.pptxU3 ANTITUBERCULAR DRUGS Pharmacology 3.pptx
U3 ANTITUBERCULAR DRUGS Pharmacology 3.pptx
Mayuri Chavan
 
Module_2_Types_and_Approaches_of_Research (2).pptx
Module_2_Types_and_Approaches_of_Research (2).pptxModule_2_Types_and_Approaches_of_Research (2).pptx
Module_2_Types_and_Approaches_of_Research (2).pptx
drroxannekemp
 
Origin of Brahmi script: A breaking down of various theories
Origin of Brahmi script: A breaking down of various theoriesOrigin of Brahmi script: A breaking down of various theories
Origin of Brahmi script: A breaking down of various theories
PrachiSontakke5
 
Module 1: Foundations of Research
Module 1: Foundations of ResearchModule 1: Foundations of Research
Module 1: Foundations of Research
drroxannekemp
 
How To Maximize Sales Performance using Odoo 18 Diverse views in sales module
How To Maximize Sales Performance using Odoo 18 Diverse views in sales moduleHow To Maximize Sales Performance using Odoo 18 Diverse views in sales module
How To Maximize Sales Performance using Odoo 18 Diverse views in sales module
Celine George
 
Look Up, Look Down: Spotting Local History Everywhere
Look Up, Look Down: Spotting Local History EverywhereLook Up, Look Down: Spotting Local History Everywhere
Look Up, Look Down: Spotting Local History Everywhere
History of Stoke Newington
 
MCQS (EMERGENCY NURSING) DR. NASIR MUSTAFA
MCQS (EMERGENCY NURSING) DR. NASIR MUSTAFAMCQS (EMERGENCY NURSING) DR. NASIR MUSTAFA
MCQS (EMERGENCY NURSING) DR. NASIR MUSTAFA
Dr. Nasir Mustafa
 
Ad

Computer security Description about SQL-Injection and SYN attacks

  • 1. Slide 1 Bahir Dar University Bahir Dar institute of technology Faculty of computing Department of computer science 4th year Section B Computer Security Assignment Presentation BY:-Tesfahunegn Minwuyelet S Date of Submission: 09/11/2016 GC.
  • 2. Slide 2 SQL injection and SYN Attack Contents SQL injection Types of SQL injection (SQLi) Parameters to protection SYN Attack SYN flood defence categories 10 Hacks that made headlines
  • 3. Slide 3 SQL Injection  is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.  Injected SQL commands can alter SQL statement and compromise the security of a web application.  is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).  consists of insertion or "injection" of a SQL query via the input data from the client to the application.  The risk of SQL injection exploits is on the rise because of automated tools. In the past, the danger was somewhat limited because an exploit had to be carried out manually: an attacker had to actually type their SQL statement into a text box.
  • 4. Slide 4 Types of SQL injection  SQL Injection can be used in a range of ways to cause serious problems. By levering SQL Injection, an attacker could bypass authentication, access, modify and delete data within a database. In some cases, SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to more damaging attacks inside of a network that sits behind a firewall.  There are three types of SQLI  In-band SQLi(Classic SQLI)  Inferential SQLI  Out-of –band SQLI
  • 5. Slide 5 In-band sqli(classic sql)  is the most common and easy-to-exploit of SQL Injection attacks.  it occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.  The two most common types of in-band SQL Injection are  Error-based SQLi  Union-based SQLi
  • 6. Slide 6 Error-based SQLi  is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database.  In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.  While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.
  • 7. Slide 7 Union-based SQLi  Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response
  • 8. Slide 8 Inferential sqli (Blind sqli)  unlike in-band SQLi, may take longer for an attacker to exploit, however, it is just as dangerous as any other form of SQL Injection  commonly referred to as “blind SQ , no data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band L Injection attacks” because  The two types of inferential SQL Injection are  Blind-boolean-based SQLi  Blind-time-based SQLi.
  • 9. Slide 9 Blind-boolean-based SQLi  technique that relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.  even though no data from the database is returned.  This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database, character by character.
  • 10. Slide 10 Blind-time-based SQLi  that relies on sending an SQL query to the database which forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.  even though no data from the database is returned.  This attack is typically slow (especially on large databases) since an attacker would need to enumerate a database character by character.
  • 11. Slide 11 Out-of-band SQLi  is not very common, mostly because it depends on features being enabled on the database server being used by the web application  It occurs when an attacker is unable to use the same channel to launch the attack and gather results.  would rely on the database server’s ability to make DNS or HTTP requests to deliver data to an attacker  Such is the case with Microsoft SQL Server’s xp_dirtree command, which can be used to make DNS requests to a server an attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used to send HTTP requests from SQL and PL/SQL to a server an attacker controls.
  • 12. Slide 12  SQL Injection Based on 1=1 is Always True  SQL Injection Based on ""="" is Always True  SQL Injection Based on Batched SQL Statements  Parameters for protection  Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks. This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input. (In fact, it should be perfectly legal to input an SQL statement in a database field.) The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
  • 13. Slide 13 SYN Attack  A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.  A SYN attack is a type of denial-of-service (DoS) attack in which an attacker utilizes the communication protocol of the Internet  For each SYN packet received, the target machine allocates resources and sends an acknowledgement (SYN-ACK) to the source IP address.  Because the target machine doesn't receive a response from the attacking machine, it attempts to resend the SYN-ACK five times, at 3-, 6-, 12-, 24-, and 48-second intervals, before un allocating the resources 96 seconds after attempting the last retry
  • 14. Slide 14 Continue…  The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The third part of the TCP three- way handshake is not executed  The source address of these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result, it is impossible to find the attacking computer.
  • 15. Slide 15 SYN flood defense categories  Firewall based • Examples: SYN Defender, SYN proxying • Filters packets and requests before router • Maintains state for each connection • Drawbacks: can be overloaded, extra delay for processing each packet
  • 16. Slide 16 Continue…  Server Based • Examples: SYN Cache, SYN cookies • SYN cache receives packets first and then uses a hash table, to partially store states, • Removes the need to watch half open connections • Implemented in LINUX
  • 17. Slide 17 Continue…  SYN kill  SYN kill monitors the network and if it detects SYNs that are not being acknowledge.  It automatically generates RST packets to free  It automatically generates RST packets to free resources,  It classifies addresses as likely to be spoofed or legitimate…
  • 18. Slide 18 Continue…  MULTOPS  Monitors the packets going to and from a victim  Blocks IPs from outside of network…  limiting IP range of attack.
  • 19. Slide 19 Continue…  Route-based Distributed Packet filtering  Uses packet information to determine if packet arriving at router has a spoofed Source /Destination addresses  Results show many packets can be filtered and those that can’t can be traced back easily
  • 20. Slide 20 10 HACKS THAT MADE HEADLINES  Markus Hess hacks on behalf of the KGB  Robert Morris hacks the internet  Vladimir Levin hacks Citibank  Jonathon James hacks NASA  Adrian Lamo hacks the New York Times  Gary McKinnon hacks the US military  Albert Gonzalez hacks TJX (and many more)  Anonymous hacks HB Gary  Lulzsec hacks Sony  News of the World hacking scandal
  翻译: