Table of Contents

* Overview
* Identifying injections
o Recognizing errors
o Locating errors
o Identifying SQL injection vulnerable parameters
* Performing the injection
o Getting the syntax right
o Identifying the database
o Exploiting the injection
* UNION SELECT injections
o Counting the columns
o Identifying column types
* Summary
* About Imperva
* About Imperva SecureSphere™

Following the increase in attacks taking advantage of SQL injection, many attempts have been made to find solutions to the problem. The obvious solution, of course, is, and always will be, to build the programs in a secure manner. Many documents have been published regarding secure development of Web applications with emphasis on database access, yet not much has changed. Web developers are still, usually, not security aware, and the problems continue to appear.

As a result, security experts keep looking for other measures that can be taken against this problem. Unfortunately, the common solution to this problem took form in suppressing the detailed error messages. Since most documents describing SQL injection rely on gathering information through the error messages (some even claim that specific tasks cannot be completed without detailed error messages), security experts developed a notion that SQL injection cannot really be exploited without detailed error messages (or the source code itself).

To Download this E-Book Click Here.