Lecture 15: SQL Injection and CAPTCHAs

Intro to Web Security Attacks




Code Injection




What does each part of the special input 2+3); system('rm *.*' do? Why don’t we include a closing parentheses at the end?




Intro to SQL Injection




SQL Review

Note: If you feel comfortable with basic SQL (SELECT statements, WHERE clauses, inserting and deleting entries from tables, DROP TABLES), feel free to skip this video and refer back to it as needed.


Consider the Customer table with AcctNum, Username, and Balance fields. Write a query to output the usernames of all accounts with balance greater than or equal to 10.




SQL Injection Example


What SQL query is executed when the attacker inputs alice'; SELECT * FROM Customer;'? Why is each part of this input necessary to avoid a syntax error?




Real-world SQL Injection Attacks




Another SQL Injection Example


Can an attacker exploit this query to learn the password of the admin user? If yes, write a malicious input that would leak the password. If no, explain why.




Defense: Input Escaping


Consider an escaping function that takes user input and replaces all instances of a single quote ' with the escaped version \'. Can an attacker still craft a malicious input using a single quote? If yes, write a malicious input that would bypass this escaping function. If no, explain why.




Defense: Parameterized SQL


(True/False) Parameterized SQL defends against all SQL injection attacks.




Conclusion


After finishing this lecture, you should be able to complete Q2 on Homework 6.