The Art of Exploiting SQL Injection

Overview

This is a full day hands on training course which will typically target penetration testers, security auditors/administrators and web developers to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could typically result in 3 scenarios:

• Authentication Bypass
• Extraction of arbitrary sensitive data from the database
• Access and compromise of the internal network.

This training will target 3 databases:

• MS-SQL
• MySQL
• Oracle

and discuss a variety of exploitation techniques to exploit each scenario. The aim of the training course is to address the following:

• Understand the problem of SQL Injection
• Learn a variety of advanced exploitation techniques which hackers use
• Learn how to fix the problem

Identify, extract, escalate, execute; we have got it all covered.

Who Should Take This Class

Penetration Testers, Web Developers, Security Auditors/Administrators/Managers, anyone else who wants to take their skills to the next level.

Student Requirements, experience/expertise

A prior knowledge of databases and SQL would be handy but is not a strict requirement.

Equipment/software students must furnish

Students must bring their own laptop with Windows Operating System installed (either running natively or in a VM). Students must have admin access on the windows platform.

Trainer

Sumit "sid" Siddharth works as a Head of Penetration testing for 7Safe Limited in the UK. He specializes in the application and database security and has more than 6 years of pentesting. Sid has authored a number of whitepapers and tools. He has been a Speaker/Trainer at many security conferences including Black Hat, DEF CON, Troopers, OWASP Appsec, Sec-T etc. He also runs the popular IT security blog: www.notsosecure.com