Pete Finnigan's SQL Server Security Blog

Cookie Policy:We only use essential cookies on small sections of this website. For details see here.


SQL Server Security
Blog Archives
Oracle Security
Oracle Security Blog

Greymatter Forums

October 2005
SMTWTFS
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!

Powered By Greymatter

Home » Archives » October 2005 » David Litchfield has a good paper on SQL Injection methods

[Previous entry: "FreeTDS an implementation of SQL Server and Sybase TDS protocol libraries"] [Next entry: "WebGoat an excellent application for testing web security"]

10/10/2005: "David Litchfield has a good paper on SQL Injection methods"


David Litchfield has a good new paper out titled "Data-Mining With SQL Injection and Inference" which talks about the methods for extracting data from a database when its not possible to get the data back through the same channel as the original query or even via a separate channel such as email. The method David discusses includes examples for SQL Injecting SQL Server and is called inference. This method shows how data presence or value in the database might be inferred by altering the known output or by causing a web server error or even by injecting a time delay in the application. This is a very interesting paper and well worth reading.