SQL Injection Attacks Infographic

What is Usemame "[email protected]' or 1=1; /* an SQL Password */- Injection Attack? SQL Injection attacks account for almost 1/3 of all attacks on Web Applications. SGQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution For example : to dump the database contents to the attacker. What does SQL stand for ? Most web applications interact with a database using a machine- understandable language called the Standard Query Language (or SQL). If best practices aren't followed, potential attackers can use your website to execute arbitrary queries to retrieve, insert and even delete information about your customers, your business. How do SQL Injection Attacks Work? 1. 3 '[email protected]' or 1=1; /* */- Log In Forgot Password 1 3 Some of this code may be This may lead to Attackers gaining Hackers insert malicious code into executed by your database input fields on your site. if you are not using best admin privileges on son security practices. your Database. Legitimate User vs Illegitimate User [email protected] '[email protected]’ or 1=1; /* honestpassword */- Log In Log In Forgot Password Forgot Password Enters a script composed of unfamiliar characters & phrases into the login form with the intent of bypassing it. Enters normal Username and Password in the login form and logs in as expected. 目 目 目 目 目 目 目 目 目 目 目 目 目 Makes normal behaviour requests and Makes abnormal and privileged queries to and from the database. requests $17 Million Finds the information she/he was Ransoms or Deletes stolen information. looking for and signs out. SQL Injection Attack Statistics 32% The percentage of Web Applications that are affected by SQL Injection. 27* The percentage of all web attacks that are SQL Injection attacks. The average cost of a minor SQL O $196,000 Injection attack. Mitigation Use of Parameterized Queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each Are you secure? parameter to the query later. This coding style allows the database to distinguish between and data, regardless of what user input is supplied. Principle of Least Privilege. Your web application should only have permission to perform the tasks it needs to, nothing more. For example, your web app probably does not need to have permission to create backups, or destroy the database. Filter Input, Escape Output. Ensure the input your application receives is filtered, and that any input you're going to store or present back has been escaped. BARRICADE The early warning system against hackers. ade.io ww @barricadeio 個 口