Praetorian503 Posted February 1, 2013 Report Share Posted February 1, 2013 Description: SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense.Nick Galbreath is a director of engineering at Etsy, overseeing groups handling fraud, security, authentication and internal tools. Over the last 18 years, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internet and Database Applications" (Wiley), and was awarded a number of patents in the area of social networking. He holds a master's degree in mathematics from Boston University.Twitter: @ngalbreathclient9https://github.com/client9Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.Original Source: Source: New Techniques In Sqli Obfuscation: Sql Never Before Used In Sqli Quote Link to comment Share on other sites More sharing options...
Nytro Posted February 1, 2013 Report Share Posted February 1, 2013 Citat:Q: "Why don't we see more attacks using these techniques?"A: "Dumb attacks work(for now)" Quote Link to comment Share on other sites More sharing options...
