Security - Datamatiker 4. semester

---

Project maintained by DatSecDK Hosted on GitHub Pages — Theme by mattgraham

← Back

Week-04 A1 SQL injection

The plan for this week is to take a closer look at SQL injection, how it is prevented, and some advice for securing the rest of the DB in case of penetration.

Learning Goals

After this week you are able to:

• Perform an attack on an unprotected database
• Prevent attacks on your database
• Explain the general principle behind injection attacks

What to Read

• W3Schools has an overview of sql injection which is a good start https://www.w3schools.com/sql/sql_injection.asp
• The owasp A1 is about this https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
• An alternative source: The Hitchhiker’s Guide to SQL Injection prevention
• SQL inject with assignment: https://github.com/SecurityDatFall2018/Week-4-SQLInject
• On XSS: Cross-site Scripting (XSS) Attack

Slides: 04-A1 SQL injection.pdf

Exercise

Implement the placeholders from PlaceHolders.java in the dk.cphbusiness.soft.sqlinject package.

Exam questions

• Give an example of a SQL inject which will give all users in a user table
• Explain how prepared statements prevent SQL injection
• Explain how to use placeholders in cases where prepared statements cannot do the job
• Explain how logging could be used to monitor injection attempts