Confidence - (19-20.11 2009 Warszawa)
Language: polski | engish
• Registration | Contact


Chema Alonso

Topic: How easy SQL Injection bugs defeat the most famous Web vulnerability scanners

Language: English

Bio:
Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional since 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines. He is currently working on his PhD thesis about Blind Techniques.

Recent talks:

  • LDAP Injection & Blind LDAP Injection attacks: BlackHat Europe 2008 [Amsterdam, Holland], DeepSec 2008 [Vienna, Austria] and OWASP Spain [Barcelona, Spain].
  • Time-Based Blind SQL Injection using heavy Queries: Defcon 16 [Las Vegas, USA]
  • Remote File Downloading using Blind Techniques: Toorcon X [San Diego, USA]
  • Replaying with (Blind) SQL Injection vulnerabilities: HackCon#4 [Oslo, Norway], Yahoo! Security Week [San Francisco, USA] and SchmooCon 2k9 [Washington DC, USA]
  • Tactical Fingerprinting using metadata, hidden info and lost data: Black Hat Europe 2009 [Amsterdam, Holland] and Defcon 17 [Las Vegas, USA]
  • Connection String Attacks: Ekoparty 5 [Buenos Aires, Argentina]

 

Abstract:
This session describes in which environments web vulnerability scanners fail. Blind SQL Injection vulnerabilities with inverted SQL Queries or time-based vulnerabilities in databases with no time delay functions. This session will demonstrate how important human pentesters still are in black box security tests.

Agenda:

  • Top ten web vulnerability scanners
  • Inverted SQL Injection: Why do people assume all bad developers program in the same way? This part of the session will show examples of valid SQL queries which are not taken into account by web vulnerability scanners.
    • Demos: AppScan, Acunetix, w3af, wapiti, Paros,.. These demos will show how all of them fail detecting some Blind SQL Injection vulnerabilities in web applications working on MS SQL Server and Oracle….and how they does in MySQL databases. Why?
  • Arithmetic SQL Injection: This part will show how just using a true/false mathematical logic to detect Blind SQL Injection vulnerabilities will success in Inverted SQL queries.
    • Demos: Division by zero, Type Overflow, Sums and subs.
  • Time-Based Blind SQL Injection using heavy Queries: This part will show that is necessary to test Time-based blind SQL Injection using heavy queries in some special environments with no time-delay functions, such as MS Access, DB2 or Oracle connection without PL/SQL support.
    • Demos: Oracle, DB2, Access
    • Demo: Marathon Tool: An open Source tool to test Time-Based Blind SQL Injection vulnerabilities using heavy queries.
  • Conclusions