Documente Academic
Documente Profesional
Documente Cultură
BAZELOR DE DATE
Definitii
Centru Google
■ Bibliografie
Ce este SQL?
Interfata SQL
https://stackoverflow.com/questions/21363075/writing-sql-script-base-on-conceptual-s
chema
https://www.engadget.com/2015-08-20-google-reveals-server-
info
Servere Google
De ce exista vulnerabilitati?
Cu toate ca, in general, SQL este o platforma destul de sigura, anumiti factori pot reduce gradul de
securitate:
• Erori umane
SQL Hashing
• SQL Injection
SQL Injection
https://www.avast.com/c-sql-injection
Deobicei, aceste atacuri apar atunci cand atacatorul, in loc sa introduca un user si o
parola, introduce comenzi care vor rula in baza de date.
Aceasta vulnerabilitate exista deoarece limbajul SQL este standard. El va accepta
aceste comenzi indiferent de locul unde sunt scrise.
Exemplul eStore
SELECT ItemName, ItemDescription
FROM Items
WHERE ItemNumber = 999 OR 1=1
https://www.imperva.com/learn/application-security/sql-injection-sqli/
■ Datorita faptului ca BD
sunt, in general, create si
operate de oameni,
https://raresql.com/2013/02/10/sql-server-the-batch-could-not-be-analyzed-because-of-compile-errors/
strecurarea unor erori este
inevitabila.
■ In anul 2021 un raport al
companiei Verizon (DBIR)
a scos la iveala faptul ca
eroarea umana este cauza a
peste 85% din totalul
breselor de securitate.
https://www.theregister.com/2022/07/25/azue_sql_post_mortem/
Exemple de erori umane
■ DROP TABLE folosit gresit
■ Comanda UPDATE folosita fara conditia WHERE
■ Comanda DELETE folosita gresit -> stergerea
datelor importante (35% din erori)
■ Parole slabe, repetitive, comune
■ Cunostinte slabe asupra SQL
■ Rulare de scripturi fara a analiza ce fac
■ Date introduse gresit sau deloc (NOT NULL)
■ Erori intentionate
■ Accidente https://www.buckleyhc.com/faqssafety-tips/vector-person-leaning-
back-on-big-red-question-mark/
Study Detail Error Rate
Chan, Lu, & Wei [1993] Percentage of 136 surveyed professional SQL users who say they 82%
usually take more than one try to do a query.
Gould Cited in Reisner, 1981. Query specification errors in QBW, 39 high 33%
school and college students. Per query.
Greenblatt & Waxman [1978] Query specification errors, paper and pencil exercise. Per query. 25% - 27%
Reisner [1975] Query specification errors on final exam, SEQUEL, programmers. Per 22%
query.
Smelcer [1995] 20 undergraduates with 80 minutes of training in SQL. Only counted 14%
errors in which a required join was not used. Percentage of queries
with such errors. 6% if low memory load, 12% if medium memory
load, 17% with high memory load. Per query.
http://www.panko.com/HumanErr/SQLQueries.html
Atacuri de ■ In atacurile de tip Denial of Service atacatorul “pacaleste”
serverul sau baza de date, supra-incarcand sistemul cu prea
tip DoS multe request-uri, pana cand serverul nu mai poate separa
request-urile legitime de cele intrusive.
■ In final, serverul “pica” (crash) sau devine instabil.
■ Mai exista si DDoS.
■ Se foloseste de HTTP.
https://www.researchgate.net/figure/SQL-Injection-in-order-to-achieve-DDoS-attack_fig3_302893095
https://www.howtogeek.com/97971/htg-explains-how-hackers-take-over-web-sites-with-
sql-injection-ddos/
DoS folosit in combinatie cu SQLi
https://www.mdpi.com/2079-9292/11/22/3817
Atacuri celebre de tip
DoS
■ SQL Slammer, in anul 2003. Acest computer
worm a exploatat o vulnerabilitate de tip buffer
overflow a Microsoft SQL Server.
■ Panix attack, 1996. Unul dintre primii
provideri de internet a fost tinta unui atac de
https://networkdirection.net/articles/network-theory/httpprotocol/
tip DoS. Cisco a trebuit sa dezvolte o strategie
de aparare ca si rezultat.
■ Google Cloud, septembrie 2017, a avut un atac
cu un flow de date de 2.54 Tb/s.
■ Cloudfare, februarie 2023. Nou record de
request-uri: 71 million/requests per second.
Tipuri de ■ Distributed Denial of Service: mai mult de un IP si mai mult
de 3-5 noduri.
https://www.netscout.com/blog/asert/crossing-10-million-mark-ddos-attacks-2020
Microsoft SQL VA
■ Acest instrument ajută la scanarea bazei de date pentru a
descoperi, monitoriza și rezolva problemele de securitate din
mediu.
Bibliografie
https://www.oracle.com/ro/database/what-is-database/#WhatIsDBMS
https://en.wikipedia.org/wiki/Vulnerability_(computing)
https://www.ibm.com/topics/database-security
https://www.red-gate.com/simple-talk/databases/sql-server/security/sql-server-vulnerabilities-and-assessment/
https://www.datasunrise.com/potential-db-threats/10-common-vulnerabilities/
https://www.sqlshack.com/the-hashbytes-function-in-t-sql/
https://www.techtarget.com/searchsoftwarequality/definition/SQL-injection
https://www.imperva.com/learn/application-security/sql-injection-sqli/
http://www.panko.com/HumanErr/SQLQueries.html
https://www.krgroup.com/security-assessment-problems/â