Tuesday, October 20, 2009

SQL Injection Attacks and Defense Book Review

SQL Injection Attacks and Defense Book Review

Justin Clarke (and others)

5 stars

Most Up To Date and Digestible Book on SQL Injection

First off, kudos to Syngress for putting out a high quality book. It looks like they are turning things around.

Second, kudos to the authors for finally explaining SQL Injection and exploiting the OS through the database in a understandable way. Previous books have tried and failed but this book succeeds in explaining what SQL Injection is, how the three forms (Error Based, Union Based, & Blind) of SQL Injection work, as well as post exploitation activities on various databases.

Here's what you get:

Chapter 1: What is SQL Injection?
Chapter 2: Testing for SQL Injection
Chapter 3: Reviewing Code for SQL Injection
Chapter 4: Exploiting SQL Injection
Chapter 5: Blind SQL Injection Exploitation
Chapter 6: Exploiting the Operating System
Chapter 7: Advanced Topics
Chapter 8: Code-Level Defenses
Chapter 9: Platform-Level Defenses
Chapter 10: References

Favorite chapters include "Review Code for SQL Injection", "Exploiting SQL Injection", and "Exploiting the Operating System".

In general I have nothing but positive things to say about the book. However I do wish there was more "new" material for Oracle as most of the discussion on Oracle can be found on the author's blog and presentations. Unfortunately the majority of the things I was unclear about before reading the book, I'm still unclear about because its the same material. My biggest gripe comes from the Oracle privilege escalation section of Chapter 4 where its says "Privilege escalation via Web Application SQL injection is Oracle is quite difficult because most approaches for privilege escalation attacks require PL/SQL injection, which is less common." But never gives an example of how to do PL/SQL injection via the web application. Uncommon != never. Unfortunately for most penetration testers access the TNS listener is usually firewalled off and exploitation Oracle through the web application is exactly whats required. Not covering that vector is really a downer. I'm not an expert in any of the databases so maybe the problem applies to other databases in the book but i didn't notice it in my reading.

There was also a lack of discussion on DB2 or Postgress but there is some material in the Cheat-Sheets section for those databases.

On a more positive note, the coverage of the three core databases (MSSQL, MySQL, ORACLE) is excellent (with the exception of the above comments) and there are two really good chapters on defense (CH8 Code-Level Defenses & CH9 Platform-Level Defenses). Its a must have if you are getting into web application testing.


No comments: