SQL injection and out-of-band channeling

Presented at DEF CON 15 (2007), Aug. 3, 2007, 11 a.m. (50 minutes)

A large number of web applications are still found suffering from improper input validation controls. This is a fact commonly exploited by hackers in order to gain unauthorized access to backend databases and steal sensitive corporate information. As systems are hardened hackers are often forced to rely on blind SQL injection in order to extract information. The audience will be introduced to out-of-band channeling, an alternate technique which under certain circumstances can be much more efficient in achieving the task. A number of different channels, pros & cons and preventive measures will be presented. Did you know a hacker could steal your corporate secrets by channeling them over DNS?

Presenters:

• Patrik Karlsson
  Patrik Karlsson is the founder of the security related website cqure.net, where he publishes some of his security related work. He is also a partner at Inspect it, a Swedish based information security consultancy. His work has been mentioned in a number of articles and books and used for education and security testing. For the last couple of years he has specialized in web application security, databases and his family.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Karlsson
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Patrik Karlsson - SQL Injection - Video.mp4
• https://www.youtube.com/watch?v=QzZyFcjQ25Y

Similar Presentations:

• DEF CON 10 (2002) / SQL Injection
• ShmooCon I (2005) / Automated Blind SQL Exploitation
• DEF CON 12 (2004) / Blind SQL Injection Automation Techniques