Roll your eyes if you want, but even though SQL injection has been around for more than 10 years, this vulnerability is still one of the most rampant. So, why is that? With the advent of automated tools to detect vulnerabilities, most people assume SQL injections are either extinct or so hard to find that they are not worth an attacker’s time. This talk will reveal how a SQL injection that might be missed by an automated tool can easily be found by a manual process, and demonstrate how a single input in a simple Web application can expose an entire database. Specifically, this session will explore:<ul> <li>Why SQL injection still exists</li> <li>Challenges around individual databases and Web applications</li> <li>SQL injection goes both ways: in and out of the database<ul> <li>Extraction of data from a backend database</li> <li>Injection of content including malware</li></ul></li> <li>Live demos: <ul> <li>Verbose SQL Injection</li> <li>Blind SQL Injection</li> <li>Simple manual checks for SQL Injection that evades automated tools – and how attackers are using them</li></ul></li> <li>Validating the inputs and self defense</li> <li>What tools can be used to test applications</li> <li>Case studies of recent infections and exploits</li></ul>
Ray Kelly currently serves as manager of client-side security technologies for Barracuda Networks Inc. He has been a developer for 16 years and has been in the Internet security space for the past eight years. Ray held several positions over the course of five years at SPI Dynamics, a Web application security startup that was purchased by HP in 2007, starting as the lead developer and product owner of the flagship product WebInspect. Eventually he moved on to become the director of SPI Labs, leading the research division of SPI where new hacking techniques were explored and penetration tests took place. Ray moved on to become the functional architecture manager for the Application Security Center of HP when SPI was acquired. In 2008, Ray left HP for award-winning Web security startup Purewire, which was acquired in 2009 by Barracuda Networks. Ray continues to lead the development and oversight of all client-side security applications, and conduct security research as part of Barracuda Labs global threat intelligence efforts.