* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Analysis of SQL injection prevention using a proxy server
Survey
Document related concepts
Extensible Storage Engine wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Relational algebra wikipedia , lookup
Tandem Computers wikipedia , lookup
Oracle Database wikipedia , lookup
Ingres (database) wikipedia , lookup
Microsoft Access wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Team Foundation Server wikipedia , lookup
Clusterpoint wikipedia , lookup
Database model wikipedia , lookup
Relational model wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Transcript
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin Presentation Outline • • • • • • • • What SQL injection is Example Project Objectives Design and Implementation Expected Results Current Status Possible Extensions Questions SQL injection • SQL Injection is a method by which the parameters of a Web-based application are modified in order to change the SQL statements that are passed to a database. • An attacker is able to insert a series of SQL statements into a 'query' by manipulating data input. SQL injection Example Vulnerable web page Example • In ASP, a critical vulnerability is the way in which the query string is created. • example: var SQL = "select * from users where username = ' "+ username +" ' and password = ' "+ password +" '"; Example • Username: ‘;drop table users-• the 'users' table will be deleted, denying access to the application for all users Example Query executed: select * from users where username = “ drop table users Example Project Goals • Analyse the structure of SQL query commands • Build a parser that will check allowable patterns of SQL statements • Create a proxy server that will filter SQL commands. • Prevent a SQL injection attack to a database using this proxy server. • Prove that SQL injection can be prevented using the filter developed to work on the proxy server. Development Environment • • • • Microsoft Windows XP Microsoft Visual Studio .net - C Sharp Microsoft Visual Source Safe Microsoft SQL Server 2000 Implementation Step Expected Results • Prevention of a SQL injection attack by filtering the queries using the proxy server • List of best practices for – Web design – Database administration Current Status • Working proxy server – Extracts the SQL from a TDS packet – Logs that SQL query to a separate log file • Work in progress: – Log to the database – Prevent a SQL injection attack • White listing • Black listing Possible Extensions • Handle other databases examples: Oracle, MySQL and Postgres • Other operating systems example: Linux Questions