sql injection soul injection attacks n.
Skip this Video
Download Presentation
SQL Injection & Soul Injection attacks

Loading in 2 Seconds...

play fullscreen
1 / 30

SQL Injection & Soul Injection attacks - PowerPoint PPT Presentation

  • Uploaded on

SQL Injection & Soul Injection attacks. Mano ‘dash4rk’ Paul CISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA. ABC’s about me --. Author The 7 Qualities of Highly Secure Software The Official (ISC) 2 Guide to the CSSLP Advisor Software Assurance Advisor Biologist

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'SQL Injection & Soul Injection attacks' - decima

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sql injection soul injection attacks
SQL Injection & Soul Injection attacks

Mano ‘dash4rk’ PaulCISSP, CSSLP, AMBCI, MCAD, MCSD, CompTIA Network+, ECSA

abc s about me
ABC’s about me --
  • Author
    • The 7 Qualities of Highly Secure Software
    • The Official (ISC)2 Guide to the CSSLP
  • Advisor
    • Software Assurance Advisor
  • Biologist
    • Shark Researcher – Bimini Islands, Bahamas
  • Christian
  • CEO
    • SecuRisk Solutions / Express Certifications

Teach Security (SQL Injection)

Teach Christ (Soul Injection)

Teach Security In Christ (Discussion)

teach security
Teach Security

SQL Injection

problem on the rise
Problem on the rise
  • OWASP Top 10 rankings
    • 6th (2004)
    • 2nd (2007)
    • 1st (2010)
so what is sql injection
So what is SQL Injection?
  • SQL Command +
  • User Input(s)
  • SQL Command(s)

An attack where the attacker supplies input which gets concatenated with internal SQL commands and gets executed.

the hacker
The Hacker

Attempts to exploit vulnerabilities and execute their own commands within your application

Seeks control upon compromise


Tell me, and I’ll forget

Show me, and I may remember

Involve me, and I’ll understand


root cause analysis
Root Cause Analysis

External: Input not handled properly

Internal: Dynamic Query Construction

string _sQry= "SELECT * FROM USERS WHERE uname= '" + txtUserName.Text+ "' AND pwd= '"+ txtPassword.Text+ "'”;

Attacker supplies ' OR 1=1 --

string _sQry = "SELECT * FROM USERS

WHERE uname= '' OR 1=1 –- '

AND pwd = '" + txtPassword.Text + "'";

  • Theft / Disclosure (Confidentiality)
    • ' UNION SELECT min(uname) '','' FROM USERS, WHERE uname> 'a’ --
  • Alteration (Integrity)
    • '; UPDATE USERS SET pwd= 'h@x0r' WHERE uname= 'administrator’ --
  • Destruction / DoS (Availability)
    • '; DROP TABLE USERS --
mitigation controls
Mitigation Controls
  • Handle Input
    • Replace Quotes
    • Validate (Format, Length, Range, Type)
    • Filter (Blacklist / Whitelist)
  • Error/Exception Handling
    • Laconic messages
    • Catch all exceptions
    • Don’t show the Error
mitigation controls continued
Mitigation Controls (Continued)
  • Implement Least privilege
    • Reader/writer accounts instead of database owner (dbo)
    • Remove unneeded functions/procedures
    • Harden the database server
  • Re-architect the Application
    • Change the way the application processes input
re architect the application
Re-architect the Application

This is the BEST defense against SQL Injection

Disallow dynamic query construction

Use parameterized procedures/statements

Use Language Integrated Query (LINQ) (if supported)

Parameterization renders ineffective all input data that are concatenated with SQL commands

teach christ
Teach Christ

Soul Injection

what is soul injection
What is Soul Injection?

An attack where the devil supplies temptations which gets concatenated with our internal commands and gets executed.

the attacker
The attacker
  • Devil a.k.a. Satan, attempts to exploit human weaknesses and execute his own commands within your life
  • Seeks control upon compromise

Satan, the attacker, is like a roaring lion,

seeking whom he may devour (1 Peter 5:8)

since the beginning of time
Since the beginning of time

In the Garden of Eden

through time till


and still rising …

Satan, the attacker has blinded the minds of many, lest they see the glorious light of the Gospel in Jesus Christ (2 Corinthians 4:4)

no one is safe
No one is safe

Irrespective of race, color, sex, age, nationality, or even religion.

All have sinned and have fallen short of the glory of God (Romans 3:23)

The wages of sin is death (Romans 6:23)

root cause analysis1
Root Cause Analysis
  • External: Not handling temptations properly
    • Sin is crouching at your door, don’t let it master you (Genesis 4:7)
  • Internal: Conceived in sin (the way we are architected)
    • Each person is tempted when he is lured and enticed by his owndesire (Psalm 51:5, James 1:14-15; ESV)
  • Theft / Disclosure (Confidentiality)
    • The thief (devil) cometh not, but for to steal, and to kill, and to destroy: I (Jesus) have come so that you might have life, and that you might have it more abundantly(John 10:10)
  • Alteration (Integrity)
    • The devil is the father of lies (John 8:44) who alters the truth
  • Destruction / DoS (Availability)
    • Then desire when it (desire) has conceived (concatenated with temptation) gives birth to sin (action), and sin when it is fully grown brings forth death (destruction) (James 1:15)
    • No man can serve 2 masters (Matthew 6:24); DoS to God
mitigating controls
Mitigating Controls
  • Handle Temptation
    • Replace / Validate / Filter
  • Be laconic
    • Let your ‘Yes’ be ‘Yes’ and your ‘No’ be ‘No’; all else beyond this is from the evil one (Matthew 5:37)
  • Implement least privilege
    • Be humble, putting on the mind of Christ (Philippians 2:5-8)
the control
The Control
  • Re-architect your life
    • Change the way you handle temptation; repent and disallow responses to temptation input
    • Store inside of you, the Holy Spirit of Jesus Christ, who is given to all who believe in his Name.

The Holy Spirit will help you render ineffective all temptations and he will help you handle them.


teach security in christ
Teach Security In Christ

Points to Ponder

discussion points
Discussion Points

How are you defending your soul against injection attacks by Satan (the attacker)?

All who call on the

name of the Lord Jesus Christ

shall be saved

(Joel 2:32)

closing thoughts
Closing Thoughts

try {

if (uLikedThisPresentationAndMtg) {


followAndTweet(); // @hackformers


emailUs(); // mano.paul@hackformers.org

} else {

giveFeedback(); // mano.paul@hackformers.org



catch(Temptations t) {

applyControl(God JesusChrist);


finally {