SQL Injection

A 8-post collection

The ongoing scourge that is SQL injection and Azure’s new SQL Database Threat Detection

Hey, did you hear about this new security risk? It’s called SQL injection and attackers can just suck all your datas out of your system if you screw it up badly enough. Allegedly there’s like, millions of websites at risk and even kids can easily break into them! Wait – this isn’t a new risk?! Well how come it’s all over the news and these seriously large companies keep getting pwned by it?! How is that even possible?! And here we are at that reality of today; SQL injection, whilst well understood for a good decade and a half, remains the number one risk on the web today. Certainly it’s...

Free recorded webinar on Pluralsight: Why SQL Injection Remains the #1 Web Security Risk Today

A couple of weeks ago I did a free webinar on Pluralsight titled Why SQL Injection Remains the #1 Web Security Risk Today (and what you should know about it). This is a rather self-explanatory title and it’s completely true – SQL injection remains a big thing and we keep getting it wrong. Like an example? Only 8 months ago, Drupal had a major vulnerability in their product. If you’re not already familiar with Drupal, it allegedly powers 2.1% of the world’s websites… including WhiteHouse.gov. But here’s the really scary bit from their announcement: You should proceed under the assumption that every Drupal 7 website was compromised unless updated...

It’s ethical hacking with SQL injection on Pluralsight!

I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do. What I can now share with everyone is that over the last few months, I’ve been working hard with the folks at Pluralsight and another fellow author...

Here’s how Bell was hacked – SQL injection blow-by-blow

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" Yes, yes, it’s happened again – OWASP’s number one risk in the Top 10 has featured prominently in a high-profile attack this time resulting in the leak of over 40,000 records from Bell in Canada. It was pretty self-evident from the original info leaked by the attackers that SQL injection had played a prominent role in the breach, but now we have some pretty conclusive evidence of it as well: The usual fanfare quickly followed – announcements by the attackers, silence by the impacted company (at least for the first day), outrage by affected customers and the new normal for...

Everything you wanted to know about SQL injection (but were afraid to ask)

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok? SQL injection is a particularly interesting risk for a few different reasons: It’s getting increasingly harder to write vulnerable code due to frameworks that automatically parameterise inputs – yet we still write bad code. You’re not necessarily in the clear just because you use stored procedures or a shiny ORM (you’re aware that SQLi can still get through these, right?...