The Art of Exploiting SQL Injections - Revision history

Achim: category OWASP/Training changed to OWASP Training

2014-11-10T21:25:09Z

category OWASP/Training changed to OWASP Training

Achim: category changed to OWASP/Training AppSec_DC_2010

2014-11-10T20:51:06Z

category changed to OWASP/Training AppSec_DC_2010

Sumit Siddharth at 20:52, 23 September 2010

2010-09-23T20:52:37Z

Dallendoug: added link header

2010-09-21T05:06:06Z

added link header

Mark.bristow at 15:05, 20 September 2010

2010-09-20T15:05:26Z

Mark.bristow at 22:22, 16 September 2010

2010-09-16T22:22:56Z

Mark.bristow at 22:17, 16 September 2010

2010-09-16T22:17:15Z

Mark.bristow at 22:04, 16 September 2010

2010-09-16T22:04:20Z

Mark.bristow at 22:03, 16 September 2010

2010-09-16T22:03:51Z

Mark.bristow: Created page with 'Category:AppSec_DC_2010_Training'

2010-09-16T21:59:42Z

Created page with 'Category:AppSec_DC_2010_Training'

New page

[[Category:AppSec_DC_2010_Training]]

← Older revision		Revision as of 21:25, 10 November 2014
Line 34:		Line 34:
	'''Instructor: Sumit Siddharth''' Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: [http://www.notsosecure.com www.notsosecure.com]		'''Instructor: Sumit Siddharth''' Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: [http://www.notsosecure.com www.notsosecure.com]

−	[[Category:OWASP/~~Training~~ AppSec_DC_2010]] [[Category:OWASP/~~Training~~ Basic]]	+	[[Category:OWASP Training/AppSec_DC_2010]] [[Category:OWASP Training/Basic]]

← Older revision		Revision as of 20:51, 10 November 2014
Line 34:		Line 34:
	'''Instructor: Sumit Siddharth''' Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: [http://www.notsosecure.com www.notsosecure.com]		'''Instructor: Sumit Siddharth''' Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: [http://www.notsosecure.com www.notsosecure.com]

−	[[Category:~~AppSec_DC_2010_Training~~]] [[Category:~~Basic_Training]]] [[Category:Intermediate_Training]~~]]	+	[[Category:OWASP/Training AppSec_DC_2010]] [[Category:OWASP/Training Basic]]

@@ Line 32: / Line 32: @@
 ==Instructor==
-'''Instructor: Sumit Siddharth'''  Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: www.notsosecure.com
+'''Instructor: Sumit Siddharth'''  Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: [http://www.notsosecure.com www.notsosecure.com]
 [[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]] [[Category:Intermediate_Training]]]

← Older revision		Revision as of 05:06, 21 September 2010
Line 1:		Line 1:
		+	[[Image:468x60-banner-2010.gif\|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]
		+
		+	[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] \| [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] \| [http://www.dcconvention.com/ Walter E. Washington Convention Center]
		+	<br>
	__NOTOC__		__NOTOC__
	==Description==		==Description==

@@ Line 22: / Line 22: @@
 Skill: Basic, Intermediate
-# Identify the most complicated sql injections which are beyond the scope of any automated tool?
+# Understand the problem of SQL Injection
-# Identify and Extract sensitive data from back-end database?
+# Learn a variety of advanced exploitation techniques which hackers use.
-# Privilege Escalation  within the database and extracting data with database admin privilege?
+# How to fix the problem?
-# OS code execution on these database server and use this as a pivot to attack internal network?
 ==Instructor==

@@ Line 1: / Line 1: @@
 __NOTOC__
-===Description===
+==Description==
 This is a full day hands on training course which will typically target penetration testers, security auditors/administrators  and even web developers  to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could typically result in 3 scenarios:
@@ Line 14: / Line 16: @@
 # OS code execution on these database server and use this as a pivot to attack internal network?
-===Requirements===
+==Student Requirements==
 Students will need to bring a laptop with VMWare
-===Objectives===
+==Objectives==
 Skill: Basic, Intermediate
@@ Line 25: / Line 27: @@
 # OS code execution on these database server and use this as a pivot to attack internal network?
-===Instructor===
+==Instructor==
 '''Instructor: Sumit Siddharth'''  Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: www.notsosecure.com
 [[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]] [[Category:Intermediate_Training]]]

← Older revision		Revision as of 22:04, 16 September 2010
Line 1:		Line 1:
		+	__NOTOC__
	===Objectives===		===Objectives===
	Skill: Basic, Intermediate		Skill: Basic, Intermediate

← Older revision		Revision as of 22:03, 16 September 2010
Line 1:		Line 1:
−	[[Category:AppSec_DC_2010_Training]]	+	===Objectives===
		+	Skill: Basic, Intermediate
		+
		+	# Identify the most complicated sql injections which are beyond the scope of any automated tool?
		+	# Identify and Extract sensitive data from back-end database?
		+	# Privilege Escalation within the database and extracting data with database admin privilege?
		+	# OS code execution on these database server and use this as a pivot to attack internal network?
		+
		+	===Description===
		+	This is a full day hands on training course which will typically target penetration testers, security auditors/administrators and even web developers to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could typically result in 3 scenarios:
		+
		+	# Authentication Bypass
		+	# Extraction of arbitrary sensitive data from the database
		+	# Access and compromise of the internal network.
		+
		+	To identify the true impact of this vulnerability it is essential that the vulnerability gets exploited to the full extent. While there is a reasonably good awareness when it comes to identify this problem, there are still a lot of grey areas when it comes to exploitation or even identifying complex vulnerabilities like a 2nd order injections. This training will target 3 databases (MS-SQL, Mysql, Oracle) and discuss a variety of exploitation techniques to exploit each scenario. The aim of the training course is to address the following:
		+
		+	# Identify the most complicated sql injections which are beyond the scope of any automated tool?
		+	# Identify and Extract sensitive data from back-end database?
		+	# Privilege Escalation within the database and extracting data with database admin privilege?
		+	# OS code execution on these database server and use this as a pivot to attack internal network?
		+
		+	===Instructor===
		+	'''Instructor: Sumit Siddharth''' Sumit "sid" Siddharth works as a Principal Security Consultant (Penetration Tester) for 7Safe Limited in the UK. He specializes in the application and database security and has more than 5 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a speaker at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: www.notsosecure.com
		+
		+	===Requirements===
		+	Students will need to bring a laptop with VMWare
		+
		+	[[Category:AppSec_DC_2010_Training]] [[Category:Basic_Training]]] [[Category:Intermediate_Training]]]