




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The following presentation shows everything from simple statements to complex queries… Page 18. 18. Red-Database-Security GmbH. SQL Basics.
Typology: Lecture notes
1 / 138
This page cannot be seen from the preview
Don't miss anything!





























































































! Introduction ! Architecture ! Typical Attackers ! Tools ! SQL Basics ! SQL Injection Basics
Classic solution:
Final solution
Type: Curious DBA or employee Scenario: Interested in private/sensitive information. Samples:
Type: DBA covering it's own fault Scenario: Try to remove evidence about a (serious) fault. Probably it's not a good approach to ask the DBA to do the forensics Samples:
Type: Leaving employees Scenario: Get as much data/information for the new job as possible. Most common attack Samples:
Type: External Hacker Scenario: Steal interesting stuff. Samples:
SQL Injection is still the biggest security problem in web applications. This year we can celebrate it's the 10 th anniversary of SQL Injection. Even if the problem is know since 10 years the knowledge especially for exploiting Oracle databases is poor. Most example and tutorials are only for MySQL and SQL Server. Detailed explanations for SQL Injection in web apps with Oracle databases are rare and often buggy. That's why SQL Injection in Oracle is often not exploited… The following presentation shows everything from simple statements to complex queries…
Netsparker (Web) Matrixay (Web) HP Webinspect (Web) IBM Rational AppScan (Web) Pangolin (Web) SQLMap (Web) Fuzzer (PL/SQL) Source code scanner Repscan (PL/SQL) Source code scanner Fortify (PL/SQL) Many custom tools are used by hacker groups / security consultants