SlideShare a Scribd company logo

Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx

Download as PPTX, PDF
B
Boston Institute of Analytics

Explore Ethical Hacking with our project on SQL Injection Vulnerability Analysis, presented by the Boston Institute of Analytics. This comprehensive exploration delves into the intricacies of SQL injection threats, dissecting potential vulnerabilities within databases and querying mechanisms. Our Ethical Hacking project uncovers common attack vectors, mitigation strategies, and best practices to fortify database security against malicious exploits. Join us in our Ethical Hacking endeavor to enhance your understanding of SQL injection vulnerabilities and fortify your defenses against cyber threats. Explore more at https://bostoninstituteofanalytics.org/cyber-security-and-ethical-hacking/

Technology
1 of 20
What is SQL injection ? SQL injection is a cyber attack in which the attacker injects malicious SQL query into an input field or the parameter like =, allowing the attacker to view or modify sensitive data. SQL Injection
Types of SQL injection
Types of SQL injection • In-Band SQL Injection:- It is a type of SQL injection in which the attacker uses same communication channel to both launch the attack and gather results. It consist of two types: i. Error based SQL Injection:- This method relies on error messages given by the backend server to obtain the information of the structure of the database. ii. Union based SQL injection:- This SQL injection technique uses UNION SQL operator to combine the results of two or more select statement into a single response.
Types of SQL injection • Inferential (Blind) SQL injection This is also known as blind based SQL injection. In this type of attack the attacker cannot see any error generated by injected SQL query. There are two types of Inferential SQL injections, they are:- i. Boolean based SQL injection:- In this attack the attacker sends an SQL query to the database which the application interprets as True or False. ii. Time based SQL injection:- In time based attacks SQL SLEEP() command is been used. This type of attack is used to determine if blind based SQL injection vulnerability is present or not.
Types of SQL injection • Out of band SQL injection This is a type of SQL injection in which the attacker does not receive response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control.
Login Bypass
Login Bypass using SQL injection https://drive.google.com/file/d/1hBwdIwvxqNnYrfvY A37KVcU6UwdlrdWw/view?usp=drive_link
SQL Injection with conditional response https://drive.google.com/file/d/1fEzKoWh5evrfRzfW 86M_sImcdIduCJ1g/view?usp=drive_link
SQL Injection with conditional response • Payloads Tracking ID is in the form of strings and the server verifies the Tracking ID and Gives TRUE or FALSE. 'Tracking ID’  Injecting a payload ' AND 1=1-- gives 'Tracking ID' AND 1=1--’ This implies the condition TRUE and welcome back is shown. Instead one writes 'Tracking ID' AND 1=2--’, one gets TRUE and FALSE and the resultant is FALSE and welcome back is not shown.
SQL Injection with conditional response  'Tracking ID' AND (SELECT 'x' FROM users LIMIT 1)= ‘x This Code verifies if there is a table by the name users in the database and outputs x. This is then set equal to the value x.  'Tracking ID' AND (SELECT username FROM users WHERE username= 'administrator')= 'administrator This code verifies if there is a user by the name administrator and give either TRUE or FALSE. If there is a user by the username administrator, the condition would be TRUE and Welcome Back is shown.
SQL Injection with conditional response  'Tracking ID' AND (SELECT username FROM users WHERE username= 'administrator' AND LENGTH (password)>1)= 'administrator In this code we try to find out the length of the password. Condition was FALSE at length of the password greater than 20 and we did not get to see welcome back. So the length of the password is 20.  'Tracking ID' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username= 'administrator' AND LENGTH (password)>1)= ‘a This code enumerates out the password.
Mitigations of SQL Injection • Input Validation: Validate and sanitize user input to ensure it adheres to expected formats and does not contain malicious code. Use input validation libraries of frameworks to sanitize user input automatically. • Output Encoding: Encode user-generated content before displaying it on web pages to prevent the execution of injected scripts. Use HTML entity encoding or JavaScript escaping to neutralize special characters. • Content Security Policy (CSP): Configure CSP directives to restrict the sources from which resources, such as scripts, stylesheets, or images, can be loaded. Implement strict CSP policies to mitigate the impact of SQL Injection attacks by limiting the execution of inline scripts and external resources. • Parameterized Queries: Use parameterized queries or prepared statements when interacting with databases to prevent SQL Injection vulnerabilities.
Cross Site Request Forgery (CSRF) A cross site request forgery is a type of a cyber attack that tricks the user into accidentally using their credentials to cause a state changing activity, such as changing passwords, changing email ids, transferring funds from their account or some other undesired action.
Cross Site Request Forgery (CSRF) For a CSRF attack to take place 3 key conditions must be satisfied:- i. Relevant action:- There is some action that the attacker makes use of. This action is some privileged action like modifying permissions for other users or any action on user specific data such as changing the username or password of his/her account. ii. Cookie based session handling-: The application relies solely on session cookies to identify the user who has made the requests. iii. No predictable parameters:- The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess.
Cross Site Request Forgery (CSRF)
CSRF without any defence https://drive.google.com/file/d/1g47BleE6BTOYugg9 1YcQsYVSQ0OvwCZW/view?usp=drive_link
CSRF token bypass https://drive.google.com/file/d/1uPOXEnRTbiB3d9b mwbA3qTyKDZO24lMz/view?usp=drive_link
Mitigations of CSRF • Anti-CSRF Tokens: Generate unique tokens for each user session and include them in form submissions or HTTP headers. Upon receiving a request, the server verifies the token's authenticity to ensure it originated from a legitimate source. • Same-Site Cookies: Set the SameSite attribute on session cookies to restrict their usage to the same origin, thereby preventing them from being sent along with cross-site requests. • Referer Header Checks: Validate the Referer header of incoming requests to ensure they originate from the same domain as the web application. • Double Submit Cookies: Include a random token in both a cookie and a form submission. Upon receiving the request, the server should compare the token values to verify their consistency.
Thank You!!

Recommended

IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)Wail Hassan
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention Rejaul Islam Royel
 

Recommended

IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...
IRJET- An Efficient Technique for Finding SQL Injection using Reverse Proxy S...IRJET Journal
 
SQL injection
SQL injectionSQL injection
SQL injectionRaj Parmar
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)Wail Hassan
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention Rejaul Islam Royel
 
Ethical hacking (sql injection and butter overflow)
Ethical hacking (sql injection and butter overflow)Ethical hacking (sql injection and butter overflow)
Ethical hacking (sql injection and butter overflow)R Islam
 
Web application security
Web application securityWeb application security
Web application securitywww.netgains.org
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Overview on SQL Injection Attacks
Overview on SQL Injection AttacksOverview on SQL Injection Attacks
Overview on SQL Injection Attacksijsrd.com
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
Sql injection
Sql injectionSql injection
Sql injectionSuraj Tiwari
 
Code injection
Code injectionCode injection
Code injectionGayatri Patel
 
SQL INJECTIONS.pptx
SQL INJECTIONS.pptxSQL INJECTIONS.pptx
SQL INJECTIONS.pptxJayeshYadav53
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
Sql injection
Sql injectionSql injection
Sql injectionAshok Kumar
 
E017131924
E017131924E017131924
E017131924IOSR Journals
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
SQL Injection.jpg.pptx
SQL Injection.jpg.pptxSQL Injection.jpg.pptx
SQL Injection.jpg.pptxdawitTerefe5
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.org
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.orgEnhancing Cybersecurity: An In-depth Analysis of Travelblog.org
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.orgBoston Institute of Analytics
 
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRF
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRFExploring Web Security Threats: A Practical Study on SQL Injection and CSRF
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRFBoston Institute of Analytics
 

More Related Content

Similar to Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx

Ethical hacking (sql injection and butter overflow)
Ethical hacking (sql injection and butter overflow)Ethical hacking (sql injection and butter overflow)
Ethical hacking (sql injection and butter overflow)R Islam
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
Overview on SQL Injection Attacks
Overview on SQL Injection AttacksOverview on SQL Injection Attacks
Overview on SQL Injection Attacksijsrd.com
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
SQL Injection.jpg.pptx
SQL Injection.jpg.pptxSQL Injection.jpg.pptx
SQL Injection.jpg.pptxdawitTerefe5
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 

Similar to Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx (20)

Ethical hacking (sql injection and butter overflow)
Ethical hacking (sql injection and butter overflow)Ethical hacking (sql injection and butter overflow)
Ethical hacking (sql injection and butter overflow)
 
Web application security
Web application securityWeb application security
Web application security
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Overview on SQL Injection Attacks
Overview on SQL Injection AttacksOverview on SQL Injection Attacks
Overview on SQL Injection Attacks
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Sql injection
Sql injectionSql injection
Sql injection
 
Code injection
Code injectionCode injection
Code injection
 
SQL INJECTIONS.pptx
SQL INJECTIONS.pptxSQL INJECTIONS.pptx
SQL INJECTIONS.pptx
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Security testing
Security testingSecurity testing
Security testing
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
 
Sql injection
Sql injectionSql injection
Sql injection
 
E017131924
E017131924E017131924
E017131924
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 
SQL Injection.jpg.pptx
SQL Injection.jpg.pptxSQL Injection.jpg.pptx
SQL Injection.jpg.pptx
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
C01461422
C01461422C01461422
C01461422
 

More from Boston Institute of Analytics

Enhancing Cybersecurity: An In-depth Analysis of Travelblog.org
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.orgEnhancing Cybersecurity: An In-depth Analysis of Travelblog.org
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.orgBoston Institute of Analytics
 
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRF
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRFExploring Web Security Threats: A Practical Study on SQL Injection and CSRF
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRFBoston Institute of Analytics
 
Detecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachDetecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachBoston Institute of Analytics
 
Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...
Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...
Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...Boston Institute of Analytics
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
NLP Based project presentation: Analyzing Automobile Prices
NLP Based project presentation: Analyzing Automobile PricesNLP Based project presentation: Analyzing Automobile Prices
NLP Based project presentation: Analyzing Automobile PricesBoston Institute of Analytics
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationBoston Institute of Analytics
 
Combating Fraudulent Transactions: A Deep Dive into Credit Card Fraud Detection
Combating Fraudulent Transactions: A Deep Dive into Credit Card Fraud DetectionCombating Fraudulent Transactions: A Deep Dive into Credit Card Fraud Detection
Combating Fraudulent Transactions: A Deep Dive into Credit Card Fraud DetectionBoston Institute of Analytics
 
Predicting Liver Disease in India: A Machine Learning Approach
Predicting Liver Disease in India: A Machine Learning ApproachPredicting Liver Disease in India: A Machine Learning Approach
Predicting Liver Disease in India: A Machine Learning ApproachBoston Institute of Analytics
 
Employee Churn Prediction: Artificial Intelligence Project Presentation
Employee Churn Prediction: Artificial Intelligence Project PresentationEmployee Churn Prediction: Artificial Intelligence Project Presentation
Employee Churn Prediction: Artificial Intelligence Project PresentationBoston Institute of Analytics
 
Predicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationPredicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationBoston Institute of Analytics
 
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxNLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxBoston Institute of Analytics
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfBoston Institute of Analytics
 

More from Boston Institute of Analytics (20)

Enhancing Cybersecurity: An In-depth Analysis of Travelblog.org
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.orgEnhancing Cybersecurity: An In-depth Analysis of Travelblog.org
Enhancing Cybersecurity: An In-depth Analysis of Travelblog.org
 
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRF
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRFExploring Web Security Threats: A Practical Study on SQL Injection and CSRF
Exploring Web Security Threats: A Practical Study on SQL Injection and CSRF
 
Detecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning ApproachDetecting Credit Card Fraud: A Machine Learning Approach
Detecting Credit Card Fraud: A Machine Learning Approach
 
Detecting Credit Card Fraud: An AI-driven Approach
Detecting Credit Card Fraud: An AI-driven ApproachDetecting Credit Card Fraud: An AI-driven Approach
Detecting Credit Card Fraud: An AI-driven Approach
 
Predicting House Prices: A Machine Learning Approach
Predicting House Prices: A Machine Learning ApproachPredicting House Prices: A Machine Learning Approach
Predicting House Prices: A Machine Learning Approach
 
Predicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science ProjectPredicting Loan Approval: A Data Science Project
Predicting Loan Approval: A Data Science Project
 
Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...
Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...
Decoding Loan Approval with Predictive Modeling in Action Discovering Weaknes...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
NLP Based project presentation: Analyzing Automobile Prices
NLP Based project presentation: Analyzing Automobile PricesNLP Based project presentation: Analyzing Automobile Prices
NLP Based project presentation: Analyzing Automobile Prices
 
Decoding Loan Approval: Predictive Modeling in Action
Decoding Loan Approval: Predictive Modeling in ActionDecoding Loan Approval: Predictive Modeling in Action
Decoding Loan Approval: Predictive Modeling in Action
 
Analyzing Movie Reviews : Machine learning project
Analyzing Movie Reviews : Machine learning projectAnalyzing Movie Reviews : Machine learning project
Analyzing Movie Reviews : Machine learning project
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health Classification
 
Combating Fraudulent Transactions: A Deep Dive into Credit Card Fraud Detection
Combating Fraudulent Transactions: A Deep Dive into Credit Card Fraud DetectionCombating Fraudulent Transactions: A Deep Dive into Credit Card Fraud Detection
Combating Fraudulent Transactions: A Deep Dive into Credit Card Fraud Detection
 
Predicting Liver Disease in India: A Machine Learning Approach
Predicting Liver Disease in India: A Machine Learning ApproachPredicting Liver Disease in India: A Machine Learning Approach
Predicting Liver Disease in India: A Machine Learning Approach
 
Employee Churn Prediction: Artificial Intelligence Project Presentation
Employee Churn Prediction: Artificial Intelligence Project PresentationEmployee Churn Prediction: Artificial Intelligence Project Presentation
Employee Churn Prediction: Artificial Intelligence Project Presentation
 
Predicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationPredicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project Presentation
 
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptxNLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
NLP Project PPT: Flipkart Product Reviews through NLP Data Science.pptx
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Ethical Hacking Project: SQL Injection Vulnerability Analysis.pptx

  • 1.
  • 2. What is SQL injection ? SQL injection is a cyber attack in which the attacker injects malicious SQL query into an input field or the parameter like =, allowing the attacker to view or modify sensitive data. SQL Injection
  • 3. Types of SQL injection
  • 4. Types of SQL injection • In-Band SQL Injection:- It is a type of SQL injection in which the attacker uses same communication channel to both launch the attack and gather results. It consist of two types: i. Error based SQL Injection:- This method relies on error messages given by the backend server to obtain the information of the structure of the database. ii. Union based SQL injection:- This SQL injection technique uses UNION SQL operator to combine the results of two or more select statement into a single response.
  • 5. Types of SQL injection • Inferential (Blind) SQL injection This is also known as blind based SQL injection. In this type of attack the attacker cannot see any error generated by injected SQL query. There are two types of Inferential SQL injections, they are:- i. Boolean based SQL injection:- In this attack the attacker sends an SQL query to the database which the application interprets as True or False. ii. Time based SQL injection:- In time based attacks SQL SLEEP() command is been used. This type of attack is used to determine if blind based SQL injection vulnerability is present or not.
  • 6. Types of SQL injection • Out of band SQL injection This is a type of SQL injection in which the attacker does not receive response from the attacked application on the same communication channel but instead is able to cause the application to send data to a remote endpoint that they control.
  • 8. Login Bypass using SQL injection https://drive.google.com/file/d/1hBwdIwvxqNnYrfvY A37KVcU6UwdlrdWw/view?usp=drive_link
  • 9. SQL Injection with conditional response https://drive.google.com/file/d/1fEzKoWh5evrfRzfW 86M_sImcdIduCJ1g/view?usp=drive_link
  • 10. SQL Injection with conditional response • Payloads Tracking ID is in the form of strings and the server verifies the Tracking ID and Gives TRUE or FALSE. 'Tracking ID’  Injecting a payload ' AND 1=1-- gives 'Tracking ID' AND 1=1--’ This implies the condition TRUE and welcome back is shown. Instead one writes 'Tracking ID' AND 1=2--’, one gets TRUE and FALSE and the resultant is FALSE and welcome back is not shown.
  • 11. SQL Injection with conditional response  'Tracking ID' AND (SELECT 'x' FROM users LIMIT 1)= ‘x This Code verifies if there is a table by the name users in the database and outputs x. This is then set equal to the value x.  'Tracking ID' AND (SELECT username FROM users WHERE username= 'administrator')= 'administrator This code verifies if there is a user by the name administrator and give either TRUE or FALSE. If there is a user by the username administrator, the condition would be TRUE and Welcome Back is shown.
  • 12. SQL Injection with conditional response  'Tracking ID' AND (SELECT username FROM users WHERE username= 'administrator' AND LENGTH (password)>1)= 'administrator In this code we try to find out the length of the password. Condition was FALSE at length of the password greater than 20 and we did not get to see welcome back. So the length of the password is 20.  'Tracking ID' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username= 'administrator' AND LENGTH (password)>1)= ‘a This code enumerates out the password.
  • 13. Mitigations of SQL Injection • Input Validation: Validate and sanitize user input to ensure it adheres to expected formats and does not contain malicious code. Use input validation libraries of frameworks to sanitize user input automatically. • Output Encoding: Encode user-generated content before displaying it on web pages to prevent the execution of injected scripts. Use HTML entity encoding or JavaScript escaping to neutralize special characters. • Content Security Policy (CSP): Configure CSP directives to restrict the sources from which resources, such as scripts, stylesheets, or images, can be loaded. Implement strict CSP policies to mitigate the impact of SQL Injection attacks by limiting the execution of inline scripts and external resources. • Parameterized Queries: Use parameterized queries or prepared statements when interacting with databases to prevent SQL Injection vulnerabilities.
  • 14. Cross Site Request Forgery (CSRF) A cross site request forgery is a type of a cyber attack that tricks the user into accidentally using their credentials to cause a state changing activity, such as changing passwords, changing email ids, transferring funds from their account or some other undesired action.
  • 15. Cross Site Request Forgery (CSRF) For a CSRF attack to take place 3 key conditions must be satisfied:- i. Relevant action:- There is some action that the attacker makes use of. This action is some privileged action like modifying permissions for other users or any action on user specific data such as changing the username or password of his/her account. ii. Cookie based session handling-: The application relies solely on session cookies to identify the user who has made the requests. iii. No predictable parameters:- The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess.
  • 16. Cross Site Request Forgery (CSRF)
  • 17. CSRF without any defence https://drive.google.com/file/d/1g47BleE6BTOYugg9 1YcQsYVSQ0OvwCZW/view?usp=drive_link
  • 19. Mitigations of CSRF • Anti-CSRF Tokens: Generate unique tokens for each user session and include them in form submissions or HTTP headers. Upon receiving a request, the server verifies the token's authenticity to ensure it originated from a legitimate source. • Same-Site Cookies: Set the SameSite attribute on session cookies to restrict their usage to the same origin, thereby preventing them from being sent along with cross-site requests. • Referer Header Checks: Validate the Referer header of incoming requests to ensure they originate from the same domain as the web application. • Double Submit Cookies: Include a random token in both a cookie and a form submission. Upon receiving the request, the server should compare the token values to verify their consistency.