SQL Injection Attacks and Defense
- 2nd Edition - June 16, 2009
- Author: Justin Clarke-Salt
- Language: English
- Paperback ISBN:9 7 8 - 1 - 5 9 7 4 9 - 9 6 3 - 7
- eBook ISBN:9 7 8 - 1 - 5 9 7 4 9 - 9 7 3 - 6
SQL Injection Attacks and Defense, First Edition: Winner of the Best Book Bejtlich Read Award "SQL injection is probably the number one problem for any server-side application, a… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteSQL Injection Attacks and Defense, First Edition: Winner of the Best Book Bejtlich Read Award
"SQL injection is probably the number one problem for any server-side application, and this book unequaled in its coverage." –Richard Bejtlich, Tao Security blog
SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information available for penetration testers, IT security consultants and practitioners, and web/software developers to turn to for help.
SQL Injection Attacks and Defense, Second Edition is the only book devoted exclusively to this long-established but recently growing threat. This is the definitive resource for understanding, finding, exploiting, and defending against this increasingly popular and particularly destructive type of Internet-based attack.
SQL Injection Attacks and Defense, Second Edition includes all the currently known information about these attacks and significant insight from its team of SQL injection experts, who tell you about:
- Understanding SQL Injection – Understand what it is and how it works
- Find, confirm and automate SQL injection discovery
- Tips and tricks for finding SQL injection within code
- Create exploits for using SQL injection
- Design apps to avoid the dangers these attacks
- SQL injection on different databases
- SQL injection on different technologies
- SQL injection testing techniques
- Case Studies
- Securing SQL Server, Second Edition is the only book to provide a complete understanding of SQL injection, from the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures
- Covers unique, publicly unavailable information, by technical experts in such areas as Oracle, Microsoft SQL Server, and MySQL---including new developments for Microsoft SQL Server 2012 (Denali)
- Written by an established expert, author, and speaker in the field, with contributions from a team of equally renowned creators of SQL injection tools, applications, and educational materials
Penetration testers, IT Security Consultants and practitioners, Database Administrators, Application Developers, Network Administrators, Security Managers, Security Analysts
Acknowledgements
Dedication
Contributing Authors
Lead Author and Technical
Introduction to the 2nd Edition
Chapter 1. What Is SQL Injection?
Introduction
Understanding How Web Applications Work
Understanding SQL Injection
Understanding How It Happens
Summary
Solutions Fast Track
Chapter 2. Testing for SQL Injection
Introduction
Finding SQL Injection
Confirming SQL Injection
Automating SQL Injection Discovery
Summary
Solutions Fast Track
Chapter 3. Reviewing Code for SQL Injection
Introduction
Reviewing source code for SQL injection
Automated source code review
Summary
Solutions fast track
Chapter 4. Exploiting SQL injection
Introduction
Understanding common exploit techniques
Identifying the database
Extracting data through UNION statements
Using conditional statements
Enumerating the database schema
Injecting into “INSERT” queries
Escalating privileges
Stealing the password hashes
Out-of-band communication
SQL injection on mobile devices
Automating SQL injection exploitation
Summary
Solutions Fast Track
Chapter 5. Blind SQL Injection Exploitation
Introduction
Finding and confirming blind SQL injection
Using time-based techniques
Using Response-Based Techniques
Using Alternative Channels
Automating blind SQL injection exploitation
Summary
Solutions fast track
Chapter 6. Exploiting the operating system
Introduction
Accessing the file system
Executing operating system commands
Consolidating access
Summary
Solutions fast track
References
Chapter 7. Advanced topics
Introduction
Evading input filters
Exploiting second-order SQL injection
Exploiting client-side SQL injection
Using hybrid attacks
Summary
Solutions fast track
Chapter 8. Code-level defenses
Introduction
Domain Driven Security
Using parameterized statements
Validating input
Encoding output
Canonicalization
Design Techniques to Avoid the Dangers of SQL Injection
Summary
Solutions fast track
Chapter 9. Platform level defenses
Introduction
Using runtime protection
Securing the database
Additional deployment considerations
Summary
Solutions fast track
Chapter 10. Confirming and Recovering from SQL Injection Attacks
Introduction
Investigating a suspected SQL injection attack
So, you’re a victim—now what?
Summary
Solutions fast track
Chapter 11. References
Introduction
Structured query language (SQL) primer
SQL injection quick reference
Bypassing input validation filters
Troubleshooting SQL injection attacks
SQL injection on other platforms
Resources
Solutions fast track
Index
- No. of pages: 576
- Language: English
- Edition: 2
- Published: June 16, 2009
- Imprint: Syngress
- Paperback ISBN: 9781597499637
- eBook ISBN: 9781597499736
JC
Justin Clarke-Salt
Justin Clarke (CISSP, CISM, CISA, MCSE, CEH) is a cofounder and executive director of Gotham Digital Science, based in the United Kingdom. He has over ten years of experience in testing the security of networks, web applications, and wireless networks for large financial, retail, and technology clients in the United States, the United Kingdom and New Zealand.
Affiliations and expertise
Justin Clarke(CISSP, CISM, CISA, MCSE, CEH) is a cofounder and executive director of Gotham Digital Science, based in the United Kingdom. He has over ten years of experience in testing the security of networks, web applications, and wireless networks for large financial, retail, and technology clients in the United States, the United Kingdom and New Zealand.Read SQL Injection Attacks and Defense on ScienceDirect