I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do.
What I can now share with everyone is that over the last few months, I’ve been working hard with the folks at Pluralsight and another fellow author to take this a step further and start building out an ethical hacking series.
You can go and watch the course on Pluralsight right now or read on. Let me share the background on this, what’s in the first course of this series on SQL injection and what you can expect to see come next.
This is the number one requested content on Pluralsight
The heading says it all – this is what you’ve been asking for! By “you” I refer to those of you who’ve used Pluralsight’s Request a Course feature to put forward your ideas on the content you’d like to see in the library and as is rather evident – it’s CEH:
One thing you’ll notice is the reference to CEH – Certified Ethical Hacker – and I want to put that into context because it’s important in understanding what we’re building out here.
CEH is a certification which demonstrates security awareness across a pretty broad spectrum. We’re talking everything from SQL injection (obviously, given the title of this blog) through to network reconnaissance and then onto topics which quite frankly, are well outside my comfort zone such as buffer overflows. CEH is run by EC-Council and is a commercial enterprise which does a number of other certs as well. They’ve positioned CEH such that’s a very broadly recognised name and is some cases, is even a prerequisite for employment.
A good example is the Department of Defence in the US approving their certification:
The United States of America Department of Defense issued Directive 8570 in 2004 to mandate baseline certifications for all Information Assurance “IA” positions. In February of 2010, this directive was enhanced to include the Certified Ethical Hacker across the Computer Network Defense Categories “CND”.
Many other security positions request candidates to hold the cert in order to get a foot in the door. Arguably, EC-Council has done a very good job at promoting the brand they’ve created around CEH and ingraining it as a pre-requisite for the sorts of roles mentioned above.
That can also be levelled as a criticism not just for CEH, but for other certs as well. The objection many people have is that merely obtaining a cert of some kind should not be sufficient evidence that someone is equipped to perform, say, a role such as a penetration tester. They’re absolutely right, of course, in that no “piece of paper” whether that be a cert or a degree or anything in between should be sufficient to demonstrate that a candidate is suitable for a role. They could be a raving lunatic for all you know; a lunatic with a cert, yes, but a lunatic all the same and totally ill-equipped for the role.
The thing about these certs is that they help establish a minimum bar. Employers can look at candidates that have met that bar and have a reasonable degree of confidence in their minimum capabilities. Beyond that there are obviously many different ways of assessing higher degrees of competency, but you can see the attraction to many orgs in terms of those candidates who have their CEH.
The Pluralsight series I’m involved in building helps prepare those who wish to achieve CEH status. Those who go through this series will be in a very good position to then sit the exam and pass with flying colours. I’ll be building out a number of the courses that relate to my direct area of expertise (namely web application security) and others will be working on the areas that better align to their specialties. I’ve not sat the CEH cert myself and frankly, it probably doesn’t offer a lot of upside to the direction I’m heading professionally, I’m simply going to focus on the topics that I know well and that also fit with the CEH curriculum.
And that’s (almost) the last I want to say on CEH; here’s why:
First and foremost, this is a SQL injection course
I’ve looked at CEH in the same way as I’ve described it above – as a minimum bar. When I set out to build this course, I made sure that everything EC-Council talk about in their SQL injection material is in the course… and then I kept going. I built the best SQL injection course I felt I could and it also covers what you need to know for CEH.
This was a very important objective for me because I wanted a course that stands on its own. If you want to take this as part of a learning path towards CEH status then great, do that, but if you’re only interested in SQLi as a topic then there is absolutely nothing specific to the cert that would make it less relevant to you.
In terms of what’s actually in the course, there are nine modules spread across nearly five and a half hours:
- Why SQL Injection Matters
- Understanding SQL Queries
- The Mechanics of SQL Injection
- Discovering Schema and Extracting Data
- Blind SQL Injection
- Advanced SQL Injection Concepts
- Defending Against Attacks
- Evasion Techniques
- Automating Injection Attacks
This gets really deep into injection and covers every major aspect of the topic. Some of these I’ve touched on in previous courses such as Hack Yourself First but in this course, I go way deeper. Blind SQL injection is a perfect example of this and I spend a lot of time talking about the mechanics of boolean and time based injection when error based and union injection are off the cards.
“The mechanics” is a really important point to make here – this is about understanding how these work at a very fundamental level. For example, I talk through not just the attack vector as passed to the web app, but also run SQL Profiler on the target system to show how the database server is interpreting the attack and of course what data it’s returning. I also put this in today’s context in terms of risks. For example, you see a lot of examples out there about using xp_cmdshell to execute commands on the host… but not a lot of commentary explaining that this is disabled by default on SQL Server 2005 and newer. Of course with sufficient privileges you can run sp_configure to bring it back to life, but that’s a semantic which is often lost on material stuck in the era of the earlier RDBMS implementation.
Oh – and all the examples used in the course can be immediately practiced by you on a live website I maintain specifically for this course and others I’ve created in the Pluralsight catalogue. Don’t just watch someone else talk about SQL injection, get out there and do it yourself in an environment you won’t get yourself into trouble playing with!
By now you may be wondering though – SQL injection – is this really still a problem? You betcha, let me explain.
Is SQL injection really still a thing? Haven’t we solved this problem already?
Yes, it’s still a massive thing and even though we have so many ways of “falling into the pit of success” when we write code these days, it’s still extremely prevalent. Now part of that prevalence is the long tail of legacy stuff built well before you could argue we had good awareness of injection. But unfortunately, another significant part is all the new stuff being built with injection risks. Just last week I stumbled upon How to send forgot password link on email for reset in asp.net C# which suggests doing this:
It takes anyone who knows what to look for literally about 2 seconds to see the critical problem here. A bit more probing and you also see it connecting to the database with the “sa” account and, well, that’s it – now everything on the server is gone.
This is the thing with SQL injection – it’s not just that there’s a lot of legacy stuff out there with risks (and there is), it’s that we’re still building new risky stuff. This is what keeps it in the number one spot on the OWASP Top 10:
That’s the latest edition from 2013, it was up there in the number one spot in 2010 as well:
We know about this risk yet… here we still are.
So that’s the course and it’s ready for you to go and watch right now. For a sense of what’s to come in this series, check out CEH’s course outline and expect to see the topics outlined there coming to Pluralsight through both myself and my fellow authors over the coming months. For an intro to the ethical hacking series, Dale Meredith’s Understanding Ethical Hacking has course also just gone live as has his Reconnaissance and Footprinting course so there’s a heap of content out there right now if you want to start following along with the series.