Chapter 1: What Is SQL Injection?
- Introduction
- Understanding How Web Applications Work
- A Simple Application Architecture
- A More Complex Architecture
- Understanding SQL Injection
- High-Profile Examples
- Understanding How It Happens
- Dynamic String Building
- Incorrectly Handled Escape Characters
- Incorrectly Handled Types
- Incorrectly Handled Query Assembly
- Incorrectly Handled Errors
- Incorrectly Handled Multiple Submissions
- Insecure Database Configuration
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 2: Testing for SQL Injection
- Introduction
- Finding SQL Injection
- Testing by Inference
- Identifying Data Entry
- GET Requests
- POST Requests
- Other Injectable Data
- Manipulating Parameters
- Information Workflow
- Database Errors
- Commonly Displayed SQL Errors
- Microsoft SQL Server Errors
- MySQL Errors
- Oracle Errors
- Application Response
- Generic Errors
- HTTP Code Errors
- Different Response Sizes
- Blind Injection Detection
- Confirming SQL Injection
- Differentiating Numbers and Strings
- Inline SQL Injection
- Injecting Strings Inline
- Injecting Numeric Values Inline
- Terminating SQL Injection
- Database Comment Syntax
- Using Comments
- Executing Multiple Statements
- Time Delays
- Automating SQL Injection Discovery
- Tools for Automatically Finding SQL Injection
- HP WebInspect
- IBM Rational AppScan
- HP Scrawlr
- SQLiX
- Paros Proxy
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 3: Reviewing Code for SQL Injection
- Introduction
- Reviewing Source Code for SQL Injection
- Dangerous Coding Behaviors
- Dangerous Functions
- Following the Data
- Following Data in PHP
- Following Data in Java
- Following Data in C#
- Reviewing PL/SQL and T-SQL Code
- Automated Source Code Review
- Yet Another Source Code Analyzer (YASCA)
- Pixy
- AppCodeScan
- Lapse
- Security Compass Web Application Analysis Tool (SWAAT)
- Microsoft Source Code Analyzer for SQL Injection
- Microsoft Code Analysis Tool .NET (CAT.NET)
- Commercial Source Code Review Tools
- Ounce
- Fortify Source Code Analyzer
- CodeSecure
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 4: Exploiting SQL Injection
- Introduction
- Understanding Common Exploit Techniques
- Using Stacked Queries
- Identifying the Database
- Non-Blind Fingerprint
- Banner Grabbing
- Blind Fingerprint
- Extracting Data through UNION Statements
- Matching Columns
- Matching Data Types
- Using Conditional Statements
- Approach 1: Time-based
- Approach 2: Error-based
- Approach 3: Content-based
- Working with Strings
- Extending the Attack
- Using Errors for SQL Injection
- Error Messages in Oracle
- Enumerating the Database Schema
- SQL Server
- MySQL
- Oracle
- Escalating Privileges
- SQL Server
- Privilege Escalation on Unpatched Servers
- Oracle
- Stealing the Password Hashes
- SQL Server
- MySQL
- Oracle
- Oracle Components
- APEX
- Oracle Internet Directory
- Out-of-Band Communication
- Microsoft SQL Server
- Oracle
- HTTP/DNS
- File System
- SQL Server
- MySQL
- Oracle
- Automating SQL Injection Exploitation
- Sqlmap
- Sqlmap Example
- Bobcat
- BSQL
- Other Tools
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 5: Blind SQL Injection Exploitation
- Introduction
- Finding and Confirming Blind SQL Injection
- Forcing Generic Errors
- Injecting Queries with Side Effects
- Splitting and Balancing
- Common Blind SQL Injection Scenarios
- Blind SQL Injection Techniques
- Inference Techniques
- Increasing the Complexity of Inference Techniques
- Alternative Channel Techniques
- Using Time-Based Techniques
- Delaying Database Queries
- MySQL Delays
- Generic MySQL Binary Search Inference Exploits
- Generic MySQL Bit-by-Bit Inference Exploits
- SQL Server Delays
- Generic SQL Server Binary Search Inference Exploits
- Generic SQL Server Bit-by-Bit Inference Exploits
- Oracle Delays
- Time-Based Inference Considerations
- Using Response-Based Techniques
- MySQL Response Techniques
- SQL Server Response Techniques
- Oracle Response Techniques
- Returning More Than One Bit of Information
- Using Alternative Channels
- Database Connections
- DNS Exfiltration
- E-mail Exfiltration
- HTTP Exfiltration
- Automating Blind SQL Injection Exploitation
- Absinthe
- BSQL Hacker
- SQLBrute
- Sqlninja
- Squeeza
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 6: Exploiting the Operating System
- Introduction
- Accessing the File System
- Reading Files
- MySQL
- Microsoft SQL Server
- Oracle
- Writing Files
- MySQL
- Microsoft SQL Server
- Oracle
- Executing Operating System Commands
- Direct Execution
- Oracle
- DBMS_SCHEDULER
- PL/SQL Native
- Other Possibilities
- Alter System Set Events
- PL/SQL Native 9i
- Buffer Overflows
- Custom Application Code
- MySQL
- Microsoft SQL Server
- Consolidating Access
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 7: Advanced Topics
- Introduction
- Evading Input Filters
- Using Case Variation
- Using SQL Comments
- Using URL Encoding
- Using Dynamic Query Execution
- Using Null Bytes
- Nesting Stripped Expressions
- Exploiting Truncation
- Bypassing Custom Filters
- Using Non-Standard Entry Points
- Exploiting Second-Order SQL Injection
- Finding Second-Order Vulnerabilities
- Using Hybrid Attacks
- Leveraging Captured Data
- Creating Cross-Site Scripting
- Running Operating System Commands on Oracle
- Exploiting Authenticated Vulnerabilities
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 8: Code-Level Defenses
- Introduction
- Using Parameterized Statements
- Parameterized Statements in Java
- Parameterized Statements in .NET (C#)
- Parameterized Statements in PHP
- Parameterized Statements in PL/SQL
- Validating Input
- Whitelisting
- Blacklisting
- Validating Input in Java
- Validating Input in .NET
- Validating Input in PHP
- Encoding Output
- Encoding to the Database
- Encoding for Oracle
- Oracle dbms_assert
- Encoding for Microsoft SQL Server
- Encoding for MySQL
- Canonicalization
- Canonicalization Approaches
- Working with Unicode
- Designing to Avoid the Dangers of SQL Injection
- Using Stored Procedures
- Using Abstraction Layers
- Handling Sensitive Data
- Avoiding Obvious Object Names
- Setting Up Database Honeypots
- Additional Secure Development Resources
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 9: Platform-Level Defenses
- Introduction
- Using Runtime Protection
- Web Application Firewalls
- Using ModSecurity
- Configurable Rule Set
- Request Coverage
- Request Normalization
- Response Analysis
- Intrusion Detection Capabilities
- Intercepting Filters
- Web Server Filters
- Application Filters
- Implementing the Filter Pattern in Scripted Languages
- Filtering Web Service Messages
- Non-Editable versus Editable Input Protection
- URL/Page-Level Strategies
- Page Overriding
- URL Rewriting
- Resource Proxying/Wrapping
- Aspect-Oriented Programming (AOP)
- Application Intrusion Detection Systems (IDSs)
- Database Firewall
- Securing the Database
- Locking Down the Application Data
- Use the Least-Privileged Database Login
- Revoke PUBLIC Permissions
- Use Stored Procedures
- Use Strong Cryptography to Protect Stored Sensitive Data
- Maintaining an Audit Trail
- Oracle Error Triggers
- Locking Down the Database Server
- Additional Lockdown of System Objects
- Restrict Ad Hoc Querying
- Strengthen Controls Surrounding Authentication
- Run in the Context of the Least-Privileged Operating System Account
- Ensure That the Database Server Software Is Patched
- Additional Deployment Considerations
- Minimize Unnecessary Information Leakage
- Suppress Error Messages
- Use an Empty Default Web Site
- Use Dummy Host Names for Reverse DNS Lookups
- Use Wildcard SSL Certificates
- Limit Discovery via Search Engine Hacking
- Disable Web Services Description Language (WSDL) Information
- Increase the Verbosity of Web Server Logs
- Deploy the Web and Database Servers on Separate Hosts
- Configure Network Access Control
- Summary
- Solutions Fast Track
- Frequently Asked Questions
Chapter 10: References
- Introduction
- Structured Query Language (SQL) Primer
- SQL Queries
- SELECT Statement
- UNION Operator
- INSERT Statement
- UPDATE Statement
- DELETE Statement
- DROP Statement
- CREATE TABLE Statement
- ALTER TABLE Statement
- GROUP BY Statement
- ORDER BY Clause
- Limiting the Result Set
- SQL Injection Quick Reference
- Identifying the Database Platform
- Identifying the Database Platform via Time Delay Inference
- Identifying the Database Platform via SQL Dialect Inference
- Combining Multiple Rows into a Single Row
- Microsoft SQL Server Cheat Sheet
- Enumerating Database Configuration Information and Schema
- Blind SQL Injection Functions: Microsoft SQL Server
- Microsoft SQL Server Privilege Escalation
- OPENROWSET Reauthentication Attack
- Attacking the Database Server: Microsoft SQL Server
- System Command Execution via xp_cmdshell
- xp_cmdshell Alternative
- Cracking Database Passwords
- Microsoft SQL Server 2005 Hashes
- File Read/Write
- MySQL Cheat Sheet
- Enumerating Database Configuration Information and Schema
- Blind SQL Injection Functions: MySQL
- Attacking the Database Server: MySQL
- System Command Execution
- Cracking Database Passwords
- Attacking the Database Directly
- File Read/Write
