Mirror Mirror -- Reflected PDF Attacks Using SQL Injection

BSidesLV 2012

Presented by: Shawn Asmus, Kristov Widak
Date: Wednesday July 25, 2012
Time: 17:00 - 17:50
Location: Track 2
Track: Proving Ground

SQL Injection vulnerabilities are old-hat, but there are many web applications in production that are still prone to this flaw. One subclass of these are websites that serve PDF documents from dynamically-built URLs. We demonstrate that, in certain cases, trusted websites prone to SQLi that also deliver binary file content such as PDFs can be used surreptitiously for stealthy data extraction and obfuscated malware delivery, even when database security is otherwise configured properly. The talk is based on findings from a real-world application penetration test.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats