SQL Injection Attacks and Defense
by Justin Clarke
ISBN 978-1-59749-424-3 . amazon.com USD31.94
Table of contents
Reviewed by Richard Austin 01/14/2011
The book is structured into three basic parts - identification, exploitation and defense.
In the identification section, Clarke reviews how injection vulnerabilities are discovered either through "black box" testing of exposed web interfaces or "white box" code reviews. The testing material illustrates the use of proxies to capture full interactions with the application and explores notable topics such as "blind" injection where the application doesn't directly display database information. The code review material includes examples of regular expressions that can be used to sift the source code for potentially vulnerable areas worthy of further study.
The exploitation section reveals how a discovered vulnerability is actually used to accomplish access to information or the underlying operating system. Coverage is both practical and well-illustrated with examples. Of particular note is his coverage of exfiltration techniques: how to get database information out of the organization while evading input sanitization filters.
The defense section is paradoxically the shortest section of the book and covers defensive techniques at both the code and platform levels. The beauty of these two brief chapters is their solid advice on how to properly use defenses such as parameterized statements and input validation.
The book closes with a reference chapter that includes a primer on the SQL language and concise summaries of key concepts and techniques.
This is a practical book and is clearly intended for the technical security professional. Though it is largely self-contained, some background knowledge of database and web application technologies will aid in understanding code samples and details of attack and defense.
Clarke has done the security community a great service by concentrating in a single resource a masterful overview of the practical methods of database attack and defense. Whether you are a professional penetration tester or charged with defending your organization's database assets, this book is definitely a recommended read.
Richard Austin MS, CISSP spent 30+ years in the IT industry holding positions ranging from software developer to security architect before becoming a semi-retired, part-time academic. He welcomes your thoughts and comments on this review at raustin2 at spsu dot edu.