Bugtraq mailing list archives
Paper: SQL Injection Attacks by Example
From: Steve Friedl <steve () unixwiz net>
Date: Wed, 5 Jan 2005 09:30:39 -0800
Hello folks (and Happy New Year),
I recently posted this to the PEN-TEST list, but it was suggested that
the wider Bugtraq readership might benefit from it.
During a recent security review for a customer, I was able to completely
compromise his web application in about two hours using SQL Injection,
logging in as the Chief Information Officer.
I've written a paper on SQL Injection Attacks, not so much as a tutorial,
but an illustrated overview showing the process (those with only a casual
knowledge of SQL have told me it's easy to understand).
Those who write (or test) web applications really ought to know about SQL
Injection attacks, because the bad guys certainly do.
SQL Injection Attacks by Example
http://www.unixwiz.net/techtips/sql-injection.html
Steve
--
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve () unixwiz net
Current thread:
- Paper: SQL Injection Attacks by Example Steve Friedl (Jan 05)
- RE: Paper: SQL Injection Attacks by Example David Litchfield (Jan 05)
- <Possible follow-ups>
- RE: Paper: SQL Injection Attacks by Example Scovetta, Michael V (Jan 05)
- Re: Paper: SQL Injection Attacks by Example Chip Andrews (Jan 05)
- Re: Paper: SQL Injection Attacks by Example Cory Foy (Jan 05)
- RE: Paper: SQL Injection Attacks by Example David Litchfield (Jan 05)
- RE: Paper: SQL Injection Attacks by Example Michael Silk (Jan 05)
- RE: Paper: SQL Injection Attacks by Example Scovetta, Michael V (Jan 05)
- RE: Paper: SQL Injection Attacks by Example Sergey Chernyshev (Jan 06)