SQL Injection vulnerability still remains a big threat for web applications. Statistics show that more than 40% of the websites are still vulnerable. This talk will demonstrate a variety of exploitation techniques including some not very popular yet very useful techniques. A number of examples will be discussed where this vulnerability goes undetected even from the most popular “commercial” scanners. The talk will have a number of demonstrations to show how by exploiting this vulnerability an attacker can not just compromise the data in the database and the underlying operating system but also use the compromised database host to attack the internal network. A number of freely available tools for exploiting this vulnerability will also be discussed along with their pros and cons.
Sumit Siddharth (sid) works as senior IT security consultant for Portcullis Computer security in U.K. Sid has authored a number of articles, advisories, white papers, tools over the years and has been a speaker at a number of IT security conferences. He also owns the popular IT security blog www.notsosecure.com.