SQL Injection Attacks and Defense

SQL Injection Attacks and Defense

2nd Edition - June 16, 2009
This is the Latest Edition
  • Author: Justin Clarke
  • eBook ISBN: 9781597499736
  • Paperback ISBN: 9781597499637

Purchase options

Purchase options
DRM-free (EPub, PDF, Mobi)
Available
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order

Description

SQL Injection Attacks and Defense, First Edition: Winner of the Best Book Bejtlich Read Award "SQL injection is probably the number one problem for any server-side application, and this book unequaled in its coverage." –Richard Bejtlich, Tao Security blog SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information available for penetration testers, IT security consultants and practitioners, and web/software developers to turn to for help. SQL Injection Attacks and Defense, Second Edition is the only book devoted exclusively to this long-established but recently growing threat. This is the definitive resource for understanding, finding, exploiting, and defending against this increasingly popular and particularly destructive type of Internet-based attack. SQL Injection Attacks and Defense, Second Edition includes all the currently known information about these attacks and significant insight from its team of SQL injection experts, who tell you about: Understanding SQL Injection – Understand what it is and how it works Find, confirm and automate SQL injection discovery Tips and tricks for finding SQL injection within code Create exploits for using SQL injection Design apps to avoid the dangers these attacks SQL injection on different databases SQL injection on different technologies SQL injection testing techniques Case Studies

Key Features

  • Securing SQL Server, Second Edition is the only book to provide a complete understanding of SQL injection, from the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures.
  • Covers unique, publicly unavailable information, by technical experts in such areas as Oracle, Microsoft SQL Server, and MySQL---including new developments for Microsoft SQL Server 2012 (Denali).
  • Written by an established expert, author, and speaker in the field, with contributions from a team of equally renowned creators of SQL injection tools, applications, and educational materials.

Readership

Penetration testers, IT Security Consultants and practitioners, Database Administrators, Application Developers, Network Administrators, Security Managers, Security Analysts.

Table of Contents

  • Acknowledgements

    Dedication

    Contributing Authors

    Lead Author and Technical

    Introduction to the 2nd Edition

    Chapter 1. What Is SQL Injection?

    Introduction

    Understanding How Web Applications Work

    Understanding SQL Injection

    Understanding How It Happens

    Summary

    Solutions Fast Track

    Chapter 2. Testing for SQL Injection

    Introduction

    Finding SQL Injection

    Confirming SQL Injection

    Automating SQL Injection Discovery

    Summary

    Solutions Fast Track

    Chapter 3. Reviewing Code for SQL Injection

    Introduction

    Reviewing source code for SQL injection

    Automated source code review

    Summary

    Solutions fast track

    Chapter 4. Exploiting SQL injection

    Introduction

    Understanding common exploit techniques

    Identifying the database

    Extracting data through UNION statements

    Using conditional statements

    Enumerating the database schema

    Injecting into “INSERT” queries

    Escalating privileges

    Stealing the password hashes

    Out-of-band communication

    SQL injection on mobile devices

    Automating SQL injection exploitation

    Summary

    Solutions Fast Track

    Chapter 5. Blind SQL Injection Exploitation

    Introduction

    Finding and confirming blind SQL injection

    Using time-based techniques

    Using Response-Based Techniques

    Using Alternative Channels

    Automating blind SQL injection exploitation

    Summary

    Solutions fast track

    Chapter 6. Exploiting the operating system

    Introduction

    Accessing the file system

    Executing operating system commands

    Consolidating access

    Summary

    Solutions fast track

    References

    Chapter 7. Advanced topics

    Introduction

    Evading input filters

    Exploiting second-order SQL injection

    Exploiting client-side SQL injection

    Using hybrid attacks

    Summary

    Solutions fast track

    Chapter 8. Code-level defenses

    Introduction

    Domain Driven Security

    Using parameterized statements

    Validating input

    Encoding output

    Canonicalization

    Design Techniques to Avoid the Dangers of SQL Injection

    Summary

    Solutions fast track

    Chapter 9. Platform level defenses

    Introduction

    Using runtime protection

    Securing the database

    Additional deployment considerations

    Summary

    Solutions fast track

    Chapter 10. Confirming and Recovering from SQL Injection Attacks

    Introduction

    Investigating a suspected SQL injection attack

    So, you’re a victim—now what?

    Summary

    Solutions fast track

    Chapter 11. References

    Introduction

    Structured query language (SQL) primer

    SQL injection quick reference

    Bypassing input validation filters

    Troubleshooting SQL injection attacks

    SQL injection on other platforms

    Resources

    Solutions fast track

    Index

Product details

  • No. of pages: 576
  • Language: English
  • Copyright: © Syngress 2012
  • Published: June 16, 2009
  • Imprint: Syngress
  • eBook ISBN: 9781597499736
  • Paperback ISBN: 9781597499637
  • About the Author

    Justin Clarke

    Justin Clarke
    Justin Clarke (CISSP, CISM, CISA, MCSE, CEH) is a cofounder and executive director of Gotham Digital Science, based in the United Kingdom. He has over ten years of experience in testing the security of networks, web applications, and wireless networks for large financial, retail, and technology clients in the United States, the United Kingdom and New Zealand.

    Affiliations and Expertise

    Justin Clarke(CISSP, CISM, CISA, MCSE, CEH) is a cofounder and executive director of Gotham Digital Science, based in the United Kingdom. He has over ten years of experience in testing the security of networks, web applications, and wireless networks for large financial, retail, and technology clients in the United States, the United Kingdom and New Zealand.