Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Fwd: Paper: SQL Injection Attacks by Example]

from [George Capehart] Network Security [Permanent Link]
Subject: [Fwd: Paper: SQL Injection Attacks by Example]
Date: Sun, 09 Jan 2005 22:04:11 -0500 
Jeff et al.,

Thought this was worth a copy to webappsec. I hadn't seen any discussion of it, so I thought I'd forward it. I originally suggested to Steve that the list might find it of value, but he felt that since he'd already sent it to two SecurityFocus lists, he didn't want to post to another . . . I think this (and the discussion of it on bugtraq) would be of interest to the readers here.

Cheers,

/g

-------- Original Message --------
Subject: Paper: SQL Injection Attacks by Example
Date: Wed, 05 Jan 2005 09:30:39 -0800
From: Steve Friedl <steve@unixwiz.net>
To: bugtraq@securityfocus.com

Hello folks (and Happy New Year),

I recently posted this to the PEN-TEST list, but it was suggested that
the wider Bugtraq readership might benefit from it.

During a recent security review for a customer, I was able to completely
compromise his web application in about two hours using SQL Injection,
logging in as the Chief Information Officer.

I've written a paper on SQL Injection Attacks, not so much as a tutorial,
but an illustrated overview showing the process (those with only a casual
knowledge of SQL have told me it's easy to understand).

Those who write (or test) web applications really ought to know about SQL
Injection attacks, because the bad guys certainly do.

        SQL Injection Attacks by Example
        http://www.unixwiz.net/techtips/sql-injection.html

Steve

--
Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve@unixwiz.net


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Fwd: Paper: SQL Injection Attacks by Example], George Capehart <=
Previous by Date:  Re: How to list all the URLs on a web server, Rafael San Miguel Carrasco
Next by Date:  RE: Content monitorting in Application Security, Ofer Shezaf
Previous by Thread:  Using Google Desktop Search for remote system monitoring, Abe Usher
Next by Thread:  RE: (webrute) How to list all the URLs on a web server, Evans, Arian
Indexes:  [Date] [Thread] [Top] [All Lists]