Analysis of SQL injection prevention using a proxy server - PowerPoint PPT Presentation

About This Presentation
Title:

Analysis of SQL injection prevention using a proxy server

Description:

a proxy server By: David Rowe Supervisor: Barry Irwin Presentation Outline What SQL injection is Example Project Objectives Design and Implementation Expected Results ... – PowerPoint PPT presentation

Number of Views:124
Avg rating:3.0/5.0
Slides: 17
Provided by: DavidR183
Category:

less

Transcript and Presenter's Notes

Title: Analysis of SQL injection prevention using a proxy server


1
Analysis of SQL injection prevention using a
proxy server
  • By David Rowe
  • Supervisor Barry Irwin

2
Presentation Outline
  • What SQL injection is
  • Example
  • Project Objectives
  • Design and Implementation
  • Expected Results
  • Current Status
  • Possible Extensions
  • Questions

3
SQL injection
  • SQL Injection is a method by which the parameters
    of a Web-based application are modified in order
    to change the SQL statements that are passed to a
    database.
  • An attacker is able to insert a series of SQL
    statements into a 'query' by manipulating data
    input.

4
SQL injection
5
Example
Vulnerable web page
6
Example
  • In ASP, a critical vulnerability is the way in
    which the query string is created.
  • example
  • var SQL "select from users where
  • username ' " username " ' and
  • password ' " password " '"

7
Example
  • Username drop table users--
  • the 'users' table will be deleted, denying access
    to the application for all users

8
Example
Query executedselect from users where
username drop table users
9
Example
10
Project Goals
  • Analyse the structure of SQL query commands
  • Build a parser that will check allowable patterns
    of SQL statements
  • Create a proxy server that will filter SQL
    commands.
  • Prevent a SQL injection attack to a database
    using this proxy server.
  • Prove that SQL injection can be prevented using
    the filter developed to work on the proxy server.

11
Development Environment
  • Microsoft Windows XP
  • Microsoft Visual Studio .net - C Sharp
  • Microsoft Visual Source Safe
  • Microsoft SQL Server 2000

12
Implementation Step
13
Expected Results
  • Prevention of a SQL injection attack by filtering
    the queries using the proxy server
  • List of best practices for
  • Web design
  • Database administration

14
Current Status
  • Working proxy server
  • Extracts the SQL from a TDS packet
  • Logs that SQL query to a separate log file
  • Work in progress
  • Log to the database
  • Prevent a SQL injection attack
  • White listing
  • Black listing

15
Possible Extensions
  • Handle other databases
  • examples Oracle, MySQL and Postgres
  • Other operating systems
  • example Linux

16
Questions
?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Analysis of SQL injection prevention using a proxy server" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!