Confidence - (19-20.11 2009 Warszawa)
Język: polski | english


José Parada Gimeno

Temat: How easy SQL Injection bugs defeat the most famous Web vulnerability scanners

Język: angielski

Bio:
José Parada is an IT Pro Technical Specialist in Microsoft. He is a very famous speaker in Spanish conferences about IT Infrastructures, Microsoft Technologies and Security. He has been working in the Microsoft Technet Program from 2005 delivering conferences, webcasts and technical information. He has been talking in BlackHat Europe, Defcon and DeepSec conferences talking about web security.

 

Abstrakt:
This session describes in which environments web vulnerability scanners fail. Blind SQL Injection vulnerabilities with inverted SQL Queries or time-based vulnerabilities in databases with no time delay functions. This session will demonstrate how important human pentesters still are in black box security tests.

Agenda:

  • Top ten web vulnerability scanners
  • Inverted SQL Injection: Why do people assume all bad developers program in the same way? This part of the session will show examples of valid SQL queries which are not taken into account by web vulnerability scanners.
    • Demos: AppScan, Acunetix, w3af, wapiti, Paros,.. These demos will show how all of them fail detecting some Blind SQL Injection vulnerabilities in web applications working on MS SQL Server and Oracle….and how they does in MySQL databases. Why?
  • Arithmetic SQL Injection: This part will show how just using a true/false mathematical logic to detect Blind SQL Injection vulnerabilities will success in Inverted SQL queries.
    • Demos: Division by zero, Type Overflow, Sums and subs.
  • Time-Based Blind SQL Injection using heavy Queries: This part will show that is necessary to test Time-based blind SQL Injection using heavy queries in some special environments with no time-delay functions, such as MS Access, DB2 or Oracle connection without PL/SQL support.
    • Demos: Oracle, DB2, Access
    • Demo: Marathon Tool: An open Source tool to test Time-Based Blind SQL Injection vulnerabilities using heavy queries.
  • Conclusions