SQL Injection Attacks and Defense.pdf

Justin Clarke Lead Author and Technical Editor

Rodrigo Marcos Alvarez

Dave Hartley

Joseph Hemler

Alexander Kornbrust

Haroon Meer

Gary O’Leary-Steele

Alberto Revelli

Marco Slaviero

Dafydd Stuttard

Elsevier, Inc., the author(s), and any person or irm involved in the writing, editing, or production (collectively

“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is

sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of proits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and iles.

Syngress Media ® , Syngress ® , “Career Advancement Through Skill Enhancement ® ,” “Ask the Author

UPDATE ® ,” and “Hack Prooing ® ,” are registered trademarks of Elsevier, Inc. “Syngress: The Deinition

of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think

Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are

trademarks or service marks of their respective companies.

PUBLISHED BY

Syngress Publishing, Inc.

Elsevier, Inc.

30 Corporate Drive

Burlington, MA 01803

SQL Injection Attacks and Defense

permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in

any form or by any means, or stored in a database or retrieval system, without the prior written permission

of the publisher, with the exception that the program listings may be entered, stored, and executed in

a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN 13: 978-1-59749-424-3

Publisher: Laura Colantoni

Page Layout and Art: SPI

Acquisitions Editor: Rachel Roumeliotis

Copy Editor: Audrey Doyle

Developmental Editor: Matthew Cater

Indexer: SPI

Lead Author and Technical Editor: Justin Clarke

Cover Designer: Michael Kavish

Project Manager: Heather Tighe

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Corporate Sales,

Elsevier; email m.pedersen@elsevier.com.

Library of Congress Cataloging-in-Publication Data

Application Submitted

Lead Author and Technical Editor

Justin Clarke is a co-founder and Director of Gotham Digital Science, an information

security consulting irm that works with clients to identify, prevent, and manage security

risks. He has over twelve years’ experience in testing the security of networks, web

applications, and wireless networks for large inancial, retail, and technology clients in

the United States, United Kingdom and New Zealand.

Justin is a contributing author to a number of computer security books, as well as

a speaker at many conferences and events on security topics, including Black Hat USA,

EuSecWest, OSCON, ISACA, RSA, SANS, OWASP, and the British Computer Society.

He is the author of the Open Source SQLBrute blind SQL injection exploitation tool,

and is the Chapter Leader for the London chapter of OWASP.

iii

Contributing Authors

Rodrigo Marcos Alvarez (MSc, BSc, CREST, CISSP, CNNA, OPST,

MCP) is the founder and technical director of SECFORCE. SECFORCE

is a UK-based IT security consultancy that offers vendor-independent and

impartial IT security advice to companies across all industry ields.

Rodrigo is a contributor to the OWASP project and a security researcher.

He is particularly interested in network protocol analysis via fuzzing testing.

Among other projects, he has released TAOF, a protocol agnostic GUI fuzzer,

and proxyfuzz, a TCP/UDP proxy which fuzzes on the ly. Rodrigo has

also contributed to the web security ield by releasing bsishell, a python

interacting blind SQL injection shell and developing TCP socket reusing

attacking techniques.

Dave Hartley has been working in the IT security industry since 1998.

He is currently a security consultant for Activity Information Management,

based in the United Kingdom, where he is responsible for the development

and delivery of Activity’s technical auditing services.

Dave has performed a wide range of security assessments and provided

a myriad of consultancy services for clients in a number of different sectors,

including inancial institutions, entertainment, media, telecommunications,

and software development companies and government organizations

worldwide. Dave is a CREST certiied consultant and part of Activity’s

CESG CHECK team. He is also the author of the Bobcat SQL injection

exploitation tool.

Dave would like to express heartfelt thanks to his extremely beautiful

and understanding wife Nicole for her patience and support.

Joseph Hemler (CISSP) is a co-founder and Director of Gotham Digital

Science, an information security consulting irm that works with clients to

identify, prevent, and manage security risks. He has worked in the realm of

application security for over 9 years, and has deep experience identifying,

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: