Friday, 9 September 2011
Tuesday, 27 October 2009
A couple of good reviews of SQL Injection Attacks and Defense have been posted to Amazon recently (both 5 stars). Firstly we have a review from Chris Gates which gives a good balanced review of the book and points out some things he'd have liked to see. I agree with all of the points, and if we ever get a chance to do a second edition, we can add those on the todo list.
Wednesday, 23 September 2009
On a related note, I met Mirko from Help Net Security at BruCon in Brussels, but didn't manage to get an interview sorted out. There is a link to a previous email interview we did from the book review above...
Tuesday, 1 September 2009
This is a repost from the original on the GDS Security Blog
Having recently seen our book SQL Injection Attacks and Defense come out, it is very timely indeed to see in the news of the recent indictment of Albert Gonzalez that SQL Injection played a key part in the Heartland Payment Systems, 7-Eleven, and Hannaford Brothers breaches, as well as for two other unnamed victim companies.
So how can SQL Injection, which is an application level problem, be used as a vector for attacking an organization? In a number of ways. SQL Injection gives an attacker the ability to interact with the database, and therefore if something is possible on the database server it may well be possible through SQL Injection. Modern database systems such as Oracle, SQL Server and others provide a rich variety of functionality for their users - all too often though, some of this functionality can be abused by malicious individuals.
Making some assumptions, its likely that something like the following occurred:
- It was possible to interact with the underlying operating system in some way using SQL Injection. This could have been through the ability to execute operating system commands (such as through the well known xp cmdshell stored procedure on Microsoft SQL Server), or through the ability to stage content to the database server (or filesystem) and then have it compiled to executable content.
- With the ability to execute content at the operating system layer, access was consolidated by providing some form of alternative control channel or remote access to the database server.
- With consolidated access to the database server, the attacker uses the database server as a foothold to go further into the organization.
Tuesday, 24 February 2009
I now realise that I last posted on the topic of a forthcoming book in October last year. Well, the book has now gone to production and should be hitting the shelves in May of 2009. For those of you who haven't been denial-of-serviced with my LinkedIn status updates on the progress of the book, its called "SQL Injection Attacks and Defense", from Syngress.
I'm very happy with the great team of folks I managed to pull together for the book. The author list is as follows (in alphabetical order):
- Justin Clarke - i.e. me
- Dave Hartley - author of Bobcat
- Joe Hemler - colleague and fellow contributing author to Network Security Tools
- Alexander Kornbrust - CEO of Red Database Security and Oracle security guru with hundreds of Oracle bugs to his name
- Rodrigo Marcos - author of TAOF
- Haroon Meer - Technical Director at Sensepost, and well known speaker and researcher
- Gary Oleary-Steele - author of Automagic SQL Injector
- Alberto Revelli - author of sqlninja
- Marco Slaviero - primary author of Squeeza
- Dafydd Stuttard - AKA Portswigger, author of Burp Suite and the Web Application Hackers Handbook
Hopefully we'll be able to see the proofs in the next couple of weeks, and see what the production folks have done with the 520-odd pages of code-heavy goodness we sent them :-)
Sunday, 19 October 2008
Quick note - I'm currently confirmed for the following speaking engagements. If anyone is attending any of these and wants to catch up, drop me an email.
Quick announcement - looks like I'll have another forthcoming book coming out early next year - I have the contract from Syngress sitting on my dressing table right now.
More details to come (like what the book is on, who's involved in the project etc) will be forthcoming early next month as I have to get the full book outline completed first. What I will tell you all is it's a single topic book, is going to be very technical, and I have some great contributing authors lined up for it :-)