SQL Injection

Hey, did you hear about this new security risk? It’s called SQL injection and attackers can just suck all your datas out of your system if you screw it up badly enough. Allegedly there’s like, millions of websites at risk and even kids can easily break into them! Wait – this isn’t a new risk?! Well how come it’s all over the news and these seriously large companies keep getting pwned by it?! How is that even possible?! And here we are at that reality of today; SQL injection, whilst well unders...

A couple of weeks ago I did a free webinar on Pluralsight titled Why SQL Injection Remains the #1 Web Security Risk Today (and what you should know about it) [https://get.pluralsight.com/webinar_why_sql_injection_remains_the_1_web_security_risk_today.html] . This is a rather self-explanatory title and it’s completely true – SQL injection remains a big thing and we keep getting it wrong. Like an example? Only 8 months ago, Drupal had a major vulnerability in their product [https://www.drupal.org/...

I’ve long been a proponent of “hacking yourself first”, that is the idea of building up some offensive skills such that you can actually take a good shot at ethically breaking apps for the betterment of society. Whether they’re you’re own apps that you’ve built or ones you’re testing part of a dev team doesn’t really matter, it’s the same skills and the same end result – you find bad stuff before bad people do. What I can now share with everyone is that over the last few months, I’ve been work...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Yes, yes, it’s happened again – OWASP’s number one risk in the Top 10 [https://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html] has featured prominently in a high-profile attack this time resulting in the leak of over 40,000 records from Bell in Canada [http://o.canada.com/technology/bell-canada-security-breach-391451/]. I...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok? SQL injection is a particularly interesting risk for a few different reasons: 1. It’s getting increasingly harder to write vulnerable code due to frameworks...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Everybody knows the easiest way to save yourself from SQL injection is to use object relational mappers (ORMs such as Entity Framework) or stored procedures, right? Often I see this becoming a mantra: “You don’t need to worry about SQLi if you’re using [Entity Framework | stored procedures]”. I also see the mantra blindly repeated and it’s wro...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]You know what really strikes me about a lot of the hacks we’ve seen lately? It just seems too easy. I mean we’re seeing a huge number of attacks (an unprecedented number, by some figures) and all too often the perpetrator is a kid. I don’t mean that in a relative sense to myself as I get older, I mean literally a child. The problem, of course...

This content is now available in the Pluralsight courses "OWASP Top 10 Web Application Security Risks for ASP.NET" and "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] There’s a harsh reality web application developers need to face up to; we don’t do security very well. A report from WhiteHat Security [http://www.slideshare.net/jeremiahgrossman/whitehat-security-8th-website-security-statistics-report] last year reported “83%...