Ebook SQL Injection attacks and defense (2/E)

Ebook "SQL Injection attacks and defense" includes content: What is SQL injection; testing for SQL injection, reviewing code for SQL injection, exploiting SQL injection, blind SQL injection exploitation, exploiting the operating system, advanced topics, code-level defenses, platform level defenses, confirming and Recovering from SQL injection attacks, references.
Nội dung trích xuất từ tài liệu:
Ebook SQL Injection attacks and defense (2/E) SQL Injection Attacks and Defense Second Edition Justin Clarke Table of Contents Cover image Title page Copyright Acknowledgements Dedication Contributing Authors Lead Author and Technical Introduction to the 2nd Edition Chapter 1. What Is SQL Injection? Introduction Understanding How Web Applications Work Understanding SQL Injection Understanding How It Happens Summary Solutions Fast Track Chapter 2. Testing for SQL Injection Introduction Finding SQL Injection Confirming SQL Injection Automating SQL Injection Discovery Summary Solutions Fast Track Chapter 3. Reviewing Code for SQL Injection Introduction Reviewing source code for SQL injection Automated source code review Summary Solutions fast track Chapter 4. Exploiting SQL injection Introduction Understanding common exploit techniques Identifying the database Extracting data through UNION statements Using conditional statements Enumerating the database schema Injecting into “INSERT” queries Escalating privileges Stealing the password hashes Out-of-band communication SQL injection on mobile devices Automating SQL injection exploitation Summary Solutions Fast Track Chapter 5. Blind SQL Injection Exploitation Introduction Finding and confirming blind SQL injection Using time-based techniques Using Response-Based Techniques Using Alternative Channels Automating blind SQL injection exploitation Summary Solutions fast track Chapter 6. Exploiting the operating system Introduction Accessing the file system Executing operating system commands Consolidating access Summary Solutions fast track References Chapter 7. Advanced topics Introduction Evading input filters Exploiting second-order SQL injection Exploiting client-side SQL injection Using hybrid attacks Summary Solutions fast track Chapter 8. Code-level defenses Introduction Domain Driven Security Using parameterized statements Validating input Encoding output Canonicalization Design Techniques to Avoid the Dangers of SQL Injection Summary Solutions fast track Chapter 9. Platform level defenses Introduction Using runtime protection Securing the database Additional deployment considerations Summary Solutions fast track Chapter 10. Confirming and Recovering from SQL Injection Attacks Introduction Investigating a suspected SQL injection attack So, you’re a victim—now what? Summary Solutions fast track Chapter 11. References Introduction Structured query language (SQL) primer SQL injection quick reference Bypassing input validation filters Troubleshooting SQL injection attacks SQL injection on other platforms Resources Solutions fast track Index Copyright Acquiring Editor: Chris Katsaropolous Development Editor: Heather Scherer Project Manager: Jessica Vaughan Designer: Russell Purdy Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA © 2012 Elsevier, Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 978-1-59749-963-7 Printed in the United States of America 12 13 14 15 16 10 9 8 7 6 5 4 3 2 1 For information on all Syngress publications visit our website at www.syngress.com Acknowledgements Justin would like to thank the Syngress editing team (and especially Chris Katsaropoulos and Heather Scherer) for once again being willing to take on a book which (in the publishing industry) has a ridiculous number of authors involved. He’d also like to thank, in his role as chief cat-herder, the author team for all pulling together to get this project completed. Dedication Justin would like to dedicate this book to his daughter Adena for being a continual delight to him. Dave would like to expre ...