O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

SQL Injection Attacks: Is Your Data Secure? .NET Edition

105 visualizações

Publicada em

SQL injection is one of the most common ways that hackers gain access to your database. Do you know how to protect your data from malicious users? This session will provide an overview of how SQL injection works as well as steps to prevent it from happening to you. We'll examine both .NET and T-SQL solutions, as well as why some commonly used techniques aren’t as secure as many people think. If you ever capture user inputs to store in the database or write dynamic SQL queries then this session is for you.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

SQL Injection Attacks: Is Your Data Secure? .NET Edition

  1. 1. SQL Injection Attacks: Is Your Data Secure? Cleveland C#/VB.Net User Group | Bert Wagner | February 22, 2018
  2. 2. Objective SQL injection prevention does not have an “easy” solution
  3. 3. Disclaimers • Try this at home • Not at work • Not on other people’s systems
  4. 4. Background • Business Intelligence Developer • Tech security enthusiast • Saw my first injection attempts in ~2001 – MySQL logs Demo code and slides available at bertwagner.com
  5. 5. Overview 1. Importance of SQL injection protection 2. Dynamic SQL 3. What does SQL injection look like? 4. Common misconceptions 5. Preventing SQL injection
  6. 6. • Data Leaks • Data Validity • Server Availability
  7. 7. Dynamic SQL “Just because you can, doesn’t mean you should.” • Can’t parameterize everything • Adaptable Queries • Performance However…
  8. 8. What is SQL Injection? • Dynamic string execution • Unsanitized input (could be from a column or parameter) • Performing something the query wasn’t originally intended to do
  9. 9. What is SQL Injection? Concatenating a parameter into our query string
  10. 10. What is SQL Injection? SQL injection can occur without concatenated parameters too
  11. 11. Let’s go back to 1998…
  12. 12. OWASP 2004
  13. 13. OWASP – Present Day
  14. 14. Common Misconceptions “The structure of my database isn’t public” You don’t have a Users table? Products? Inventory? etc... “The Amazing Bert”
  15. 15. Common Misconceptions “I obfuscate my table names” sys.objects? Errors displayed in app? Logs, emails, social engineering…?
  16. 16. Common Misconceptions “Isn’t it the DBAs job to protect the database?” True. But multiple layers of security are better than one. Front end validation doesn’t stop malicious users Server side validation does
  17. 17. Common Misconceptions “I’m not important enough to get hacked” Automated injection tools target everyone https://github.com/sqlmapproject/sqlmap/wiki/Techniques
  18. 18. Common Misconceptions “I use an ORM to code my SQL queries” ORMs are still vulnerable if you need to pass an argument that can’t be parameterized by SQL Server or if you use a vulnerable stored procedure Other libraries, like the LINQ Dynamic Query Library, try to mitigate this but are also not perfect https://stackoverflow.com/questions/8738953/is-injection-possible-through-dynamic-linq
  19. 19. Protecting Against SQL Injection Must take a multi-layered approach. Demos: • Don’t write dynamic SQL • sp_executesql • QUOTENAME() • REPLACE() • EXECUTE AS • Limit inputs • Homoglyph attacks • Proactively find injection vulnerabilities
  20. 20. Other Tools • sqlmap • Azure SQL • Continuous monitoring tools • Troy Hunt’s “hackable” website: https://hackyourselffirst.troyhunt.com/
  21. 21. Recap • No easy, single-approach solution • Validate, sanitize, escape • Developers and DBAs both responsible • Limit executing account privileges • Use other software to help test, find vulnerabilities
  22. 22. Thank you! @bertwagner bertwagner.com youtube.com/c/bertwagner bert@bertwagner.com 22 New posts and videos every Tuesday!

×