Pete Finnigan's SQL Server Security Blog

Time based blind SQL Injection

Wed, 13 Dec 2023 09:59:10 +0000

Yesterday I got an email from Chema Alonso to tell me about his recent paper " Time-Based Blind SQL Injection with Heavy Queries ". This is an excellent summary paper of the technique and includes an example of how writing....[Read More]

Posted by Pete On 16/10/07 At 10:16 AM

SQL Injection cheat sheet

Wed, 13 Dec 2023 09:59:10 +0000

Today I found a nice SQL Injection cheat sheet for MS SQL Server, MySQL, PostgeSQL and Oracle. The paper is quite comprehensive and covers a good spread of types of SQL injection attacks. Its also quite good that it tries....[Read More]

Posted by Pete On 03/10/07 At 10:00 AM

SQL Injection, Are Your Web Applications Vulnerable?

Wed, 13 Dec 2023 09:59:10 +0000

SQL Injection, Are Your Web Applications Vulnerable? - by SPI Dynamics "SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries without stripping potentially harmful characters first. Despite being remarkably simple to protect against....[Read More]

Posted by Pete On 12/12/06 At 09:05 PM

Chip Andrews SQL lock down script

Wed, 13 Dec 2023 09:59:10 +0000

Well its been some time since I have written on this SQL Server blog. I have been very busy of late but I am planning to try and keep this blog more up to date from now on. I have....[Read More]

Posted by Pete On 19/06/06 At 05:48 PM

WebGoat an excellent application for testing web security

Wed, 13 Dec 2023 09:59:10 +0000

Few people have open access to full blown web based business applications that they can use to practice all manner of web based attacks. The Open Web Application Security Project has created a full J2EE web application called WebGoat that....[Read More]

Posted by Pete On 10/10/05 At 10:42 PM

David Litchfield has a good paper on SQL Injection methods

Wed, 13 Dec 2023 09:59:10 +0000

David Litchfield has a good new paper out titled " Data-Mining With SQL Injection and Inference " which talks about the methods for extracting data from a database when its not possible to get the data back through the same....[Read More]

Posted by Pete On 10/10/05 At 10:26 PM

FreeTDS an implementation of SQL Server and Sybase TDS protocol libraries

Wed, 13 Dec 2023 09:59:10 +0000

I was searching for interesting SQL Server security stuff to look for an found out that the network protocol is called TDS (Tabular Data Stream) - well actually I knew that already. I wanted to know if there are any....[Read More]

Posted by Pete On 06/10/05 At 10:06 PM

Dave Campbell Keynote at SQL PASS

Wed, 13 Dec 2023 09:59:10 +0000

I came across Don Kiely's post to his blog called " Dave Campbell Keynote at SQL PASS " which talks about David Campbells keynote at SQL PASS which talks about moving to SQL Server 2005 and one of the key....[Read More]

Posted by Pete On 01/10/05 At 10:30 PM