View on ScienceDirect

SQL Injection Attacks and Defense

2nd Edition

Write a review

Authors: Justin Clarke-Salt

Paperback ISBN: 9781597499637

eBook ISBN: 9781597499736

Imprint: Syngress

Published Date: 18th June 2012

Page Count: 576

Select country/region:

Sales tax will be calculated at check-out

Bundle

40% Off

DRM-free (Mobi, PDF, EPub)

eBook format help

Institutional Subscription

Tax Exempt Orders

Support Center

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.

Description

SQL Injection Attacks and Defense, First Edition: Winner of the Best Book Bejtlich Read Award

"SQL injection is probably the number one problem for any server-side application, and this book unequaled in its coverage." –Richard Bejtlich, Tao Security blog

SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information available for penetration testers, IT security consultants and practitioners, and web/software developers to turn to for help.

SQL Injection Attacks and Defense, Second Edition is the only book devoted exclusively to this long-established but recently growing threat. This is the definitive resource for understanding, finding, exploiting, and defending against this increasingly popular and particularly destructive type of Internet-based attack.

SQL Injection Attacks and Defense, Second Edition includes all the currently known information about these attacks and significant insight from its team of SQL injection experts, who tell you about:

Understanding SQL Injection – Understand what it is and how it works
Find, confirm and automate SQL injection discovery
Tips and tricks for finding SQL injection within code
Create exploits for using SQL injection
Design apps to avoid the dangers these attacks
SQL injection on different databases
SQL injection on different technologies
SQL injection testing techniques
Case Studies

Key Features

Securing SQL Server, Second Edition is the only book to provide a complete understanding of SQL injection, from the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures.
Covers unique, publicly unavailable information, by technical experts in such areas as Oracle, Microsoft SQL Server, and MySQL---including new developments for Microsoft SQL Server 2012 (Denali).
Written by an established expert, author, and speaker in the field, with contributions from a team of equally renowned creators of SQL injection tools, applications, and educational materials.

Readership

Penetration testers, IT Security Consultants and practitioners, Database Administrators, Application Developers, Network Administrators, Security Managers, Security Analysts.

Acknowledgements

Dedication

Contributing Authors

Lead Author and Technical

Introduction to the 2nd Edition

Chapter 1. What Is SQL Injection?

Introduction

Understanding How Web Applications Work

Understanding SQL Injection

Understanding How It Happens

Summary

Solutions Fast Track

Chapter 2. Testing for SQL Injection

Introduction

Finding SQL Injection

Confirming SQL Injection

Automating SQL Injection Discovery

Summary

Solutions Fast Track

Chapter 3. Reviewing Code for SQL Injection

Introduction

Reviewing source code for SQL injection

Automated source code review

Summary

Solutions fast track

Chapter 4. Exploiting SQL injection

Introduction

Understanding common exploit techniques

Identifying the database

Extracting data through UNION statements

Using conditional statements

Enumerating the database schema

Injecting into “INSERT” queries

Escalating privileges

Stealing the password hashes

Out-of-band communication

SQL injection on mobile devices

Automating SQL injection exploitation

Summary

Solutions Fast Track

Chapter 5. Blind SQL Injection Exploitation

Introduction

Finding and confirming blind SQL injection

Using time-based techniques

Using Response-Based Techniques

Using Alternative Channels

Automating blind SQL injection exploitation

Summary

Solutions fast track

Chapter 6. Exploiting the operating system

Introduction

Accessing the file system

Executing operating system commands

Consolidating access

Summary

Solutions fast track

References

Chapter 7. Advanced topics

Introduction

Evading input filters

Exploiting second-order SQL injection

Exploiting client-side SQL injection

Using hybrid attacks

Summary

Solutions fast track

Chapter 8. Code-level defenses

Introduction

Domain Driven Security

Using parameterized statements

Validating input

Encoding output

Canonicalization

Design Techniques to Avoid the Dangers of SQL Injection

Summary

Solutions fast track

Chapter 9. Platform level defenses

Introduction

Using runtime protection

Securing the database

Additional deployment considerations

Summary

Solutions fast track

Chapter 10. Confirming and Recovering from SQL Injection Attacks

Introduction

Investigating a suspected SQL injection attack

So, you’re a victim—now what?

Summary

Solutions fast track

Chapter 11. References

Introduction

Structured query language (SQL) primer

SQL injection quick reference

Bypassing input validation filters

Troubleshooting SQL injection attacks

SQL injection on other platforms

Resources

Solutions fast track

Index

Details

No. of pages:: 576

Language:: English

Published:: 18th June 2012

Imprint:: Syngress

Paperback ISBN:: 9781597499637

eBook ISBN:: 9781597499736

About the Author

Justin Clarke-Salt

Justin Clarke (CISSP, CISM, CISA, MCSE, CEH) is a cofounder and executive director of Gotham Digital Science, based in the United Kingdom. He has over ten years of experience in testing the security of networks, web applications, and wireless networks for large financial, retail, and technology clients in the United States, the United Kingdom and New Zealand.

Affiliations and Expertise

Justin Clarke(CISSP, CISM, CISA, MCSE, CEH) is a cofounder and executive director of Gotham Digital Science, based in the United Kingdom. He has over ten years of experience in testing the security of networks, web applications, and wireless networks for large financial, retail, and technology clients in the United States, the United Kingdom and New Zealand.

Reviews

"Lead author and technical editor Clarke has organized the volume's 11 chapters into sections on understanding, finding, exploiting, and defending SQL injection, and has also included reference materials that provide information on database platforms not covered in detail in the main body of the text."--Reference and Research Book News, August 2013
"The most stunningly impactful attacks often leverage SQL Injection vulnerabilities. This book has everything you need to fight back, from applying the core fundamentals to protecting emerging technologies against such attacks. Keep it by your bedside and distribute it within your business."--Nitesh Dhanjani, Executive Director at Ernst & Young LLP
"Securing SQL Server - Protecting Your Database from Attackers and SQL Injection Attacks and Defense are two new books out on SQL security. The first, Securing SQL Server - Protecting Your Database from Attackers, author Denny Cherry takes a high-level approach to the topic. The book explains how to secure and protect a SQL database from attack. The book details how to configure SQL against both internal and external-based attacks. This updated edition includes new chapters on analysis services, reporting services, and storage area network security. For anyone new to SQL security, Cherry does a great job of explaining what needs to be done in this valuable guide. In and SQL Injection Attacks and Defense, editor Justin Clarke enlists the help of a set of experts on how to deal with SQL injection attacks. Since SQL is so ubiquitous on corporate networks, with sites often running hundreds of SQL servers; SQL is prone to attacks. SQL injection is a technique often used to attack databases through a website and is often done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database. SQL injection is a code injection technique that exploits security vulnerability in a website's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. With that, the need to defend servers against such attacks is an imperative and SQL Injection Attacks and Defense should be required reading for anyone tasks with securing SQL servers."--RSA Conference

Ratings and Reviews

write a review

WRITE A REVIEW

* Indicates a required field

* Score:

* Title:

* Review:

Review's title & body can't be empty Question's body can't be empty Please enter a star rating for this review Name field cannot be empty Invalid email Your review has already been submitted. Max length was exceeded Please fill out all of the mandatory (*) fields One or more of your answers does not meet the required criteria

Thank you for posting a review!

We value your input. Share your review so everyone else can enjoy it too.

Thank you for posting a review!

Your review was sent successfully and is now waiting for our team to publish it.

Reviews (0)

Updating Results

Institutional Subscription

Secure Checkout

Free Shipping

WRITE A REVIEW

Request Quote

Tax Exemption