data base security and injection
TRANSCRIPT
![Page 1: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/1.jpg)
Database securityinjection and other
attacks
Ahmed shamel
supervised by:Dr. shimaa hameed
![Page 2: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/2.jpg)
Introduction
![Page 3: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/3.jpg)
What Is Database Security?
Database
It is a collection of information stored in a computer.
Security
It is being free from danger.
Database Security
It is the mechanisms that protect the database
against intentional or accidental threats.
![Page 4: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/4.jpg)
Three Main Aspects
What data base need?
Secrecy Integrity Availability
![Page 5: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/5.jpg)
Secrecy It is protecting the database from
unauthorized users.
Ensures that users are allowed to do the things they are trying to do.
For examples,The employees should not see the salaries of their managers.
![Page 6: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/6.jpg)
Only authorized users should be allowed to modify data.
Ensures that what users are trying to do is correct.
For examples,An employee should be able to modify his or her own information.
Integrity
![Page 7: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/7.jpg)
Authorized users should be able to access data at any time they need for Legal purposes as necessary
For examples,Payment orders regarding taxes should be made on time by the tax law.
Availability
![Page 8: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/8.jpg)
Threat
Threat is any intentional or accidental event that may adversely affect the system.
Examples of threats:
- Using another person’s log-in name to access data.
- Unauthorized copying data.
- Program/Data alteration.
- Illegal entry by hacker
- Viruses
![Page 9: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/9.jpg)
Kinds of Threat1. Non-fraudulent Threat
Natural or accidental disasters. Errors or bugs in hardware or software. Human errors.
2. fraudulent Threat Exploitation of Vulnerable . Input Injection (Formerly SQL Injection) .
![Page 10: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/10.jpg)
Input Injection (Formerly SQL Injection)
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.
![Page 11: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/11.jpg)
There are two major types of database injection attacks :
1) SQL Injection that targets traditional database systems .
2) NoSQL (stands for not only SQL( Injection that targets Big Data platforms.
SQL Injection attacks usually involve inserting (or “injecting”) unauthorized or malicious statements into the input fields of web applications. On the other hand, NoSQL injection attacks involve inserting malicious statements into Big Data components .
In both types, a successful Input Injection attack can give an attacker unrestricted access to an entire database.
![Page 12: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/12.jpg)
Legal access by user name password
Big websites usually use a variety of databases, because different databases serve different purposes.
![Page 13: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/13.jpg)
How the Injection (Statements ) work? the web application is literally asking the database
server:((do we have a user with the username 'Ahmed' and the password 'AAAA' registered in the system? ))
![Page 14: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/14.jpg)
the Sql Syntax is broken and an error occurs. This plays a key role in Sql injection
![Page 15: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/15.jpg)
if an attacker is able to "smuggle " special character (which is not filtered by web application)It is possible to modify the Sql queries, their logic and hence the application's behavior.
![Page 16: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/16.jpg)
checking the web design if it pass special character to database queries
![Page 17: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/17.jpg)
What happen if we pass this command throw the web application
![Page 18: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/18.jpg)
What in fact happen inside the Database
The statement which always true 1=1
![Page 19: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/19.jpg)
The attacker is successfully authenticated as the first user from the top of the list (the first row) for ex:
![Page 20: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/20.jpg)
Threat Countermeasures
Computer-Based Controls:
- Authorization
- Authenticating
- Backup and Recovery
- view
- Encryption
- RAID Technology
![Page 21: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/21.jpg)
AuthorizationThe granting of a privilege that enable a user to have legitimate access to a system.
AuthenticatingA system administrator is responsible for allowing users to have access to the system by creating individual user accounts.
Backup & RecoveryIs the process of periodically taking a copy of the database and log file onto offline storage media.
![Page 22: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/22.jpg)
Viewhiding parts of the database from certain users that provides a powerful and flexible security mechanism.
Redundant Array of Independent Disks (RAID)The hardware that the DBMS is running on must be fault-tolerant, meaning that the DBMS should continue to operate even if one of the hardware components fails.
![Page 23: Data base security and injection](https://reader035.vdocuments.net/reader035/viewer/2022062823/58719ad41a28ab044e8b59e9/html5/thumbnails/23.jpg)