SPECIAL-OPS 2 – THE ART OF EXPLOITING SQL INJECTION FLAWS

OVERVIEW

This is a full day hands on training course which will typically target penetration testers, security auditors/administrators and web developers to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could typically result in 3 scenarios:

1. Authentication Bypass
2. Extraction of arbitrary sensitive data from the database
3. Access and compromise of the internal network.

This training will target 3 databases:

• MS-SQL
• Mysql
• Oracle

and discuss a variety of exploitation techniques to exploit each scenario. The aim of the training course is to address the following:

1. Understand the problem of SQL Injection.
2. Learn a variety of advanced exploitation techniques which hackers use.
3. Learn how to fix the problem.

Identify, extract, escalate, execute; we have got it all covered.

WHO SHOULD ATTEND?

Penetration Testers, Web Developers, Security Auditors/Administrators/Managers, anyone else who wants to take their skills to the next level.

HARDWARE / SOFTWARE REQUIREMENTS

Students must bring their own laptop with Windows Operating System installed (either running natively or in a VM). Students must have admin access on the windows platform.

ABOUT THE TRAINER

Sumit Siddharth

Sumit “sid” Siddharth works as Head of the Penetration Testing for 7Safe Limited in the UK. He has been a speaker/trainer at many security conferences including Blackhat, Defcon, Troopers, OWASP Appsec, Sec-T, IT-Underground etc. He has contributed a number of whitepapers, security tools, exploits and advisories to the industry. Sid is one of the contributing authors of the book SQL Injection: Attacks and defense (2nd edition). He also runs the popular IT security blog www.notsosecure.com.