Entries tagged with “SQL injection”.


Sid is doing his popular course,┬áThe Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here.
Definitely highly recommended.

An article Raj Samani and I wrote was published in infosecurity magazine.

It’s always funny to hear yourself speak ­čÖé

http://www.youtube.com/watch?v=PbmVSGTra30

Well, that was fun. I had a great time at UKOUG at Birmingham.┬áMet friends, enjoyed the parties and gave a SQL Injection security presentation. All in all, I think it went well – no demos crashing, etc.

It’s pretty much the same presentation I gave at in the hacking exposed series so you can download it here┬áwith all the scripts and the demo app.

Presentation Attendies

Presentation Attendies

Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder. It also includes a few scripts I used for blind SQL injection and worm infection.

Tell me what you think…

HackingExposed

McAfee just posted a threat brief we created regarding the LizaMoon attack spreading through vulnerable web sites. Thanks to Vadim and our red team for providing the material and Andy for doing the proofing and adding his words of wisdom. As always, the simple way to solve SQL injection is to use bind variables.

On another topic, I’m presenting another “Hacking Exposed” session with McAfee tomorrow (4/14/2011) at 11am PDT. This session is going to demonstrate many techniques used by hackers to exploit SQL injection (with focus on Oracle) including some new blind time-based SQL injection options. Please register, it’s free!

I guess this is somewhat ironical. At least it was nothing simple as in-band SQL Injection via errors or directly. It just goes to show you that any site can be vulnerable to attacks, even guys that write DB engines for a living. On the other hand, I’m sure that the sites were not created by the same guys who work on the database.

The answer to SQL Injection is very simple – use BIND VARIABLES, for Pete’s sake. It will cover 99% of your use-cases and for the other 1%, consider the security implications!

This is just too funny – the site owner is accusing the guys that reported the vulnerability of┬áextortion.┬áMore details can be found here and here.

And it all started with a simple SQL Injection that can be exploited through the site error messages. I talked about this multiple times in the past.

Of course, the passwords were in clear text and multiple messages from site members to use hashing and not email passwords to users were deleted from the site’s forum.

Sumit Siddarth (Sid) has published an excellent whitepaper talking about hacking Oracle from the web. It shows many types and techniques of SQL injection and how to use an SQL injection vulnerability as a jumping point to extract data, take control of the database and even escape the database to the OS.

Security folks and DBAs out there, this is a must read!

A really well written blog post from Mike Smithers about the need to validate data from all sources – also coming from the database.

Good one…