Abstract

Over the past several years, hacktivists, criminals, and people just "out for lulz" have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks. SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news. Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.


Slides

The slides are available in HTML 5 format. All modern browsers (including tablets and phones) should be able to navigate the slides successfully.

The slides are licensed under Creative Commons Attribution-ShareAlike.


Demo Code

The demonstration code is available on my GitHub repository. These scripts give you an opportunity to play with a site vulnerable to SQL injection.

The source code is licensed under the terms offered by the GPL. The slides are licensed under Creative Commons Attribution-ShareAlike.


Links And Further Information

References

This material was originally part of a blog series on SQL injection I did. That series got turned into a chapter of Tribal SQL.

Simple Talk later published my SQL injection chapter as an article, so you can read it for free.

Interesting Links

For more resources on SQL injection, I recommend checking out the following:

Tools

Books and Other Resources