Automated SQL Ownage Techniques (OWASP)

Automated SQL Ownage Techniques (OWASP)

Friday, October 30, 2009
Sebastian Cufre
OWASP AppSec Brasil 2009

This talk is about web application security assessment. In particular, in this talk we set to improve the assessment process for SQL injection vulnerabilities by providing the means to discard exogenous "false positive" alarms and confirm exploitable vulnerabilities.

We propose a black-box technique to detect and exploit SQL injection vulnerabilities. The exploitation provides an interface to execute arbitrary SQL code through them. Therefore, we are able to thoroughly assess the impact of the vulnerability (e.g., understand what a hacker can do).

The core of this talk is in examining the difficulties that appear while trying to expose vulnerability and how to do a black-box interaction to automatically construct an exploit.

Related information

Publications
Zombie 2.0 | Agent Oriented SQL Abuse | alert('A javascript agent') | Systematic XSS exploitation | Automated SQL Ownage Techniques (CanSec)