Book Image

SQL Injection Strategies

By : Ettore Galluccio, Edoardo Caselli, Gabriele Lombari
Book Image

SQL Injection Strategies

By: Ettore Galluccio, Edoardo Caselli, Gabriele Lombari

Overview of this book

SQL injection (SQLi) is probably the most infamous attack that can be unleashed against applications on the internet. SQL Injection Strategies is an end-to-end guide for beginners looking to learn how to perform SQL injection and test the security of web applications, websites, or databases, using both manual and automated techniques. The book serves as both a theoretical and practical guide to take you through the important aspects of SQL injection, both from an attack and a defense perspective. You’ll start with a thorough introduction to SQL injection and its impact on websites and systems. Later, the book features steps to configure a virtual environment, so you can try SQL injection techniques safely on your own computer. These tests can be performed not only on web applications but also on web services and mobile applications that can be used for managing IoT environments. Tools such as sqlmap and others are then covered, helping you understand how to use them effectively to perform SQL injection attacks. By the end of this book, you will be well-versed with SQL injection, from both the attack and defense perspective.

Related Content you might be interested in

Current Title:

Small book image
SQL Injection Strategies
Ettore Galluccio | Edoardo Caselli | Gabriele Lombari
Jul, 2020 | 210 pages
Small book image
Web Penetration Testing with Kali Linux
Gilberto NajeraGutierrez | Juned Ahmed Ansari
Feb, 2018 | 426 pages
Small book image
Hands-On Application Penetration Testing with Burp Suite
Carlos A Lozano | Riyaz Ahemed Walikar | Dhruv Shah
Feb, 2019 | 366 pages
Small book image
Kali Linux Web Penetration Testing Cookbook
Gilberto NajeraGutierrez
Aug, 2018 | 404 pages
Table of Contents (11 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1
Section 1: (No)SQL Injection in Theory
Section 1: (No)SQL Injection in Theory
Free Chapter
2
Chapter 1: Structured Query Language for SQL Injection
Chapter 1: Structured Query Language for SQL Injection
Technical requirements
An overview of SQL – a relational query language
The syntax and logic of SQL
Security implications of SQL
Weaknesses in the use of SQL
SQL for SQL injection – a recap
Summary
Questions
3
Chapter 2: Manipulating SQL – Exploiting SQL Injection
Chapter 2: Manipulating SQL – Exploiting SQL Injection
Technical requirements
Exploitable SQL commands and syntax
Common SQL injection commands and manipulation
Not only SQL injection – non-relational repositories
The injection vulnerability in non-relational repositories
Wrapping up – (No-)SQL injection in theory
Summary
Questions
4
Section 2: SQL Injection in Practice
Section 2: SQL Injection in Practice
5
Chapter 3: Setting Up the Environment
Chapter 3: Setting Up the Environment
Technical requirements
Understanding the practical approach and introducing the main tools
Overview of the OWASP BWA project
The attacker – configuring your client machine
The target – configuring your target web applications
The target – configuring your target-emulated devices
Operating the lab
Summary
Questions
6
Chapter 4: Attacking Web, Mobile, and IoT Applications
Chapter 4: Attacking Web, Mobile, and IoT Applications
Technical requirements
Attacking traditional web applications– manual techniques
Attacking traditional web applications – automated techniques
Attacking mobile targets
Attacking IoT targets
Summary
Questions
Further reading
7
Chapter 5: Preventing SQL Injection with Defensive Solutions
Chapter 5: Preventing SQL Injection with Defensive Solutions
Technical requirements
Understanding general weaknesses and SQL injection enablers
Treating user input
Sanitization and input control
Defending against SQL injection – code-level defenses
Defending against SQL injection – platform-level defenses
Summary
Questions
8
Chapter 6: Putting It All Together
Chapter 6: Putting It All Together
SQL injection – theory in perspective
SQL injection – practice in perspective
SQL injection and security implications – final comments
Summary
Questions
9
Assessments
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
10
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

Summary

That was quite a lot of information. When dealing with defense mechanisms, there are a lot of factors to consider, and the more defense mechanisms you apply to your context, the less chance an attacker has to cause damage to your environment. For this reason, using all of the security measures we described in this chapter—or almost all, depending on the context and the applicability of these controls—is very important for security.

This chapter first covered the general aspects of countermeasures against SQL injection—specifically, dealing with user input and controlling data flows. Then, we analyzed specific defenses for dealing with application coding, general patterns to follow in application development, and securing the infrastructure surrounding the application.

As for code-level defenses, we saw how to validate input, using both blacklisting and whitelisting, to only accept safe input. Then, we applied sanitizing measures, both for query statement...

Previous Section
End of Section 8
Next Section