| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
SQL Injection Attack and Defense This paper focuses on educating the security professionals with the risks associated with this situation and tries to give brief understanding of various kinds of attacks that attacker may launch and outline of various strategies that can be evaluated and adopted to protect the valuable information assets.
By Sagar Joshi, 09/23/2005
|
|
SQLBlock: SQL Injection Protection by Variable Normalization of SQL Statement We present here a method to protect from SQL injection attack. The method involve using a virtual database connectivity drive as well as a special method named “variable normalization” to extract the basic structure of a SQL statement so that we could use that information to determine if a SQL statement is allowed to be executed. The method can be used in most scenarios and does not require changing the source code of database applications (i.e. the CGI web application). The presented method can also be used for auto-learning the allowable list of SQL statements, which makes the system very easy to setup. And since the decision of whether a SQL statement is allowed is to check if the normalized statement exists in our ready-sorted allowable list, the overhead of the system is very minimal.
By SQLBlock.com, 06/17/2005
|
|
Introduction to SQL Injection It is very hard to understand the conceptual idea of SQL injection without partially understanding the code that runs in the background. With this paper I hope to explain, with the help of some examples, just how easy it is to exploit a system with SQL injection and how to defend against it.
Lee Lawson,
06/06/2005
|
|
SQL Injection, Are Your Web Applications Vulnerable? The objective of this paper is to educate the professional security community on the techniques that can be used to take advantage of a web application that is vulnerable to SQL injection, and to make clear the correct mechanisms that should be put in place to protect against SQL injection and input validation problems in general.
By SPI Dynamics, Inc., 10/29/2004
|
|
Blind SQL Injection Let’s talk first about plain, old-fashioned, no-frills SQL injection. This is a hacking method that allows an unauthorized attacker to access a database server. It is facilitated by a common coding blunder: the program accepts data from a client and executes SQL queries without first validating the client’s input. The attacker is then free to extract, modify, add, or delete content from the database. In some circumstances, he may even penetrate past the database server and into the underlying operating system.
By Kevin Spett, 10/26/2004
|
|
An Introduction to SQL Injection Attacks for Oracle Developers Most application developers underestimate the risk of SQL injections attacks against web applications that use Oracle as the back-end database. This paper is intended for application developers, database administrators, and application auditors to highlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable.
08/30/2004
|
|
Detection of SQL Injection and Cross-site Scripting Attacks In the last couple of years, attacks against the Web application layer have required increased attention from security professionals. This is because no matter how strong your firewall rulesets are or how diligent your patching mechanism may be, if your Web application developers haven't followed secure coding practices, attackers will walk right into your systems through port 80. The two main attack techniques that have been used widely are SQL Injection [ref 1] and Cross Site Scripting [ref 2] attacks. SQL Injection refers to the technique of inserting SQL meta-characters and commands into Web-based input fields in order to manipulate the execution of the back-end SQL queries. These are attacks directed primarily against another organization's Web server. Cross Site Scripting attacks work by embedding script tags in URLs and enticing unsuspecting users to click on them, ensuring that the malicious Javascript gets executed on the victim's machine.
By K. K. Mookhey, Nilesh Burghate , 04/22/2004
|
|
SQL Injection Signatures Evasion In recent years, Web application security has become a focal center for security experts. Application attacks are constantly on the rise, posing new risks for the organization. One of the most dangerous and most common attack techniques is SQL Injection, which usually allows the hacker to obtain full access to the organization's Database. With the rise in SQL Injection attacks, security vendors have begun to provide security measures to protect against SQL Injection. The first ones to claim such protection have been the various Web Application Firewall vendors, followed by most IDS/IPS vendors.
By Ofer Maor and Amichai Shulman, 04/20/2004
|
|
Blindfolded SQL Injection Until today, exploiting SQL server injection attacks depended on having the Web Server return detailed error messages or having any other source of information. As a result, many security administrators suppressed these error messages, assuming this would protect them from SQL server injection exploitation. This white paper shows, however, that suppressing the error messages does not provide real protection. The research done at Imperva reveals a set of techniques that can be easily used by attackers in order to bypass this obstacle, making it clear that more substantial measures must be taken against SQL server injection attacks.
By Ofer Maor and Amichai Shulman, 03/31/2004
|
|
SQL Injection: Modes of attack, defense, and why it matters SQL injection attacks represent a serious threat to any database-driven site. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Despite these risks an incredible number of systems on the internet are susceptible to this form of attack. Not only is it a threat easily instigated, it is also a threat that, with a little common-sense and forethought, can be almost totally prevented. This paper will look at a selection of the methods available to a SQL injection attacker and how they are best defended against.
By Stuart McDonald, 03/24/2004
|
|
Page: 1 2 |
