‘) UNION SELECT `This_Talk` AS (‘New Exploitation and Obfuscation Techniques’)%00

Presented at DerbyCon 3.0 All in the Family (2013), Sept. 29, 2013, 11 a.m. (50 minutes).

This talk will present some of the newest and most advanced optimization and obfuscation techniques available in the field of SQL Injections. These techniques can be used to bypass web application firewalls and intrusion detection systems at an alarming speed. This talk will also demonstrate these techniques on both open-source and commercial firewalls and present the ALPHA version of a framework called Leapfrog which Roberto is developing; Leapfrog is designed to assist security professionals, IT administrators, firewall vendors and companies in testing their firewall rules and implementation to determine if they are an adequate enough defense measure to stop a real cyber-attack.

Many of the techniques that will be presented were created by Roberto Salgado and are currently some of the fastest methods of extracting information from a database through SQL Injections. Roberto will demonstrate how to reduce the amount of time it takes to exploit a SQL Injection by over a third of the time it would normally take. He will also demonstrate why firewalls and intrusion detection systems are not the ultimate solution to security and why other measurements should also be implemented.


Presenters:

  • Roberto Salgado
    As an Information Security specialist, Roberto has always been passionate about his line of work and has had several years of experience researching and experimenting in this field. In saying this, Roberto’s expertise is brought forth by his continuing commitment to exploring the cutting edge of today’s security challenges, and finding solutions to these security problems. This driving passion has given him the opportunity to participate and contribute to great projects such as Modsecurity, PHPIDS, SQLMap and the Web Application Obfuscation book. He also created and maintains the SQL Injection Knowledge Base, an invaluable resource for penetration testers when dealing with SQL Injections. In his free time Roberto enjoys creating SQL Injection challenges for both the security community and himself to learn from. Additionally, Roberto enjoys programming in Python and has created projects like Panoptic, a penetration testing tool that automates the search and retrieval of common log and config files through LFI vulnerabilities.

Similar Presentations: