- Automated SQL Ownage Techniques (CanSec)
- Sebastian Cufre (presented by Fernando Russ)
- CanSecWest Vancouver 2010
- Date published
- SQL-injection attacks, web-application security, injection flaws
This talk is about web application security assessment. In particular, in this talk we set to improve the assessment process for SQL injection vulnerabilities by providing the means to discard exogenous "false positive" alarms and confirm exploitable vulnerabilities.
We propose a black-box technique to detect and exploit SQL injection vulnerabilities. The exploitation provides an interface to execute arbitrary SQL code through them. Therefore, we are able to thoroughly assess the impact of the vulnerability (e.g., understand what a hacker can do).
The core of this talk is in examining the difficulties that appear while trying to expose vulnerability and how to do a black-box interaction to automatically construct an exploit.