SQLServerUnderAttack_SQLInjection.pdf

(1817 KB) Pobierz

12.05.2015

“SQL Attack..ed”

SQL Server under attack:

SQL Injection

Andreas Wolter

Founder: Sarpedon Quality Lab

Database Architect

| MCM, MCSM

Andreas Wolter

Consultant, Trainer & Speaker

Microsoft Certified Master SQL Server 2008

& Solutions Master Data Platform (SQ Server 2012)

•

Microsoft SQL Server 7.0 - 2014

•

Datawarehouse & OLTP-System Architecture

•

Performance Tuning

•

Security

Email:

Web:

Blog:

Facebook:

Linkedin:

Twitter:

a.wolter@Sarpedon.de

www.andreas-wolter.com

www.insidesql.org/blogs/andreaswolter/

www.facebook.com/SarpedonQualityLab

www.linkedin.com/in/andreaswolter

@AndreasWolter

SQLDay 2015

12.05.2015

Audience



Developer

Administrator



(Prod) SQL Server Version?

<= 2005

()

2008 / R2

()

2012

(

)

2014

(

 )

SQLDay 2015

Agenda

•

(Web)Application Layer

–

My form and the WAF don’t let anything pass through – or do they?

•

Standard SQL Injection

Blind / Error-based /Time-based SQL Injection, Encoding Injection

2nd Order SQL Injection

Privilege Escalation via SQL Injection

“case of the unkillable transaction” - DoS Attack via SQL Injection

More?:

http://www.insidesql.org/blogs/andreaswolter/2013/07/security-session-sql-server-attack-ed

SQLDay 2015

12.05.2015

INTRODUCTION

Excerpts from the 2013 Data Breach Investigations

Report



Most attacks in fact do happen from the outside

In over 50% of all cases it’s about the data!

The top HACKING actions are:



Use of stolen Credentials

Use of backdoors

The old friend Brute force (!)..

Much later followed by SQLinjection

Spyware/Keylogger

Backdoors

Exportieren of Data



The top MALWARE actions are:





The greatest amount of compromised „goods„ from databases are from financial nature

Most first attacks are in fact of simple nature.

Most break-ins stay undetected for months!

http://www.verizonenterprise.com/DBIR/2013/

SQLDay 2015

12.05.2015

The 2015 Data Breach Investigations Report

Web App Attacks

www.verizonenterprise.com/DBIR/2015/

SQLDay 2015

Why should we care?

•

WHO ist being (most successfully) attacked?

•

The big telecommunication company, car manufacturer?

•

Or the component supplier, sub-contractor, software-supplier?

•

Or just the employee of the sub-contractor as a private individual?

SQLDay 2015

12.05.2015

Please don‘t end up like that

SQLDay 2015

Plik z chomika:

keyball

Inne pliki z tego folderu:

AdvancedTimeIntelligenceWithDAX.pdf (1217 KB)
AzureML.pdf (1043 KB)
BudgetingWithPowerPivot.pdf (941 KB)
DużeObiektyWSQLServer.pdf (1510 KB)
EasyETLwithBiml.zip (1996 KB)

SQLServerUnderAttack_SQLInjection.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: