Search icon Close icon
Search icon CANCEL
Subscription
0
Cart icon
Cart
Close icon
You have no products in your basket yet
Save more on your purchases!
Savings automatically calculated. No voucher code required
Arrow left icon
All Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletters
Free Learning
Arrow right icon
Home > Cloud & Networking > Network Security > SQL Injection Strategies
SQL Injection Strategies
SQL Injection Strategies

SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

By Ettore Galluccio , Edoardo Caselli , Gabriele Lombari
$26.99
Book Jul 2020 210 pages 1st Edition
eBook
$26.99
Print
$38.99
Subscription
$15.99 Monthly
eBook
$26.99
Print
$38.99
Subscription
$15.99 Monthly

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Buy Now
Table of content icon View table of contents Preview book icon Preview Book

SQL Injection Strategies

Chapter 1: Structured Query Language for SQL Injection

Today's world relies on the concept of cyberspace every day: the internet allows people all around the globe to connect to computers in any part of the world. This enables instant fruition of many services that rely on a plethora of technologies, protocols, and mechanisms that constitute the basis for whatever is available on the World Wide Web. Unfortunately, the theme of security is relevant for this intricate web of connections and services in the same way it is for the real world.

Malicious agents perform attacks against computers worldwide every day, mostly just for personal gain or advantage. By exploiting online applications and services, in fact, it may be possible to gain control of computers or entire networks, thereby taking advantage of specific of the intrinsic vulnerabilities of some technologies, protocols, frameworks, or just applications. One of the most common – and notorious – ways to do...

Technical requirements

For this chapter and the next, the topics we will cover will mostly be theoretical. However, we suggest that you read the SQL technical documentation. Here, we have provided, for reference, the MySQL, Oracle, and Microsoft SQL Server documentation:

An overview of SQL – a relational query language

One of the most common ways to keep data memorized in computer systems is by relying on databases. Databases can be seen as large software containers that can hold lots of information in a structured and accessible way, in order to optimize how to store data and access their operations.

Depending on the approach and model used, the way in which this is achieved can vary in terms of implementation. One of the most common ways is to use the relational model, which is based on relational algebra, for which data is a collected as a series of records that describe the relationships that exist among objects. SQL is a query language that is based on such concepts, and it is widely adopted in many database systems. This section will deal with these topics in depth by first explaining database management systems, relational databases, and SQL.

Database management systems and relational databases

The implementation of a database...

The syntax and logic of SQL

As mentioned earlier, SQL is an easy to use and understand language capable of many different types of operations. Like all languages, it is based on interpreting command strings that are inserted with an expected syntax, with specific statements corresponding to one and only possible operation. SQL's main statements can be of many types. Let's take a look at the most important ones:

  • SELECT statement: SELECT is the most common SQL command. Its purpose is to allow the database to be searched, showing the specified attributes from the records that satisfy (optionally) a specific condition; for example:
    SELECT color, shape FROM objects

    This statement shows the color and shape attributes of all the records from the objects table. SQL also allows for a wildcard – in this case, the character * – to make general selections:

    SELECT * FROM objects
  • This statement will return all the records from objects table, showing all the attributes...

Security implications of SQL

As we've seen, SQL allows us to perform a very large set of instructions, making interacting with the whole database possible at many different levels. We can do this by modifying its structure too. With such a powerful language that can be used to perform any sort of operation on a database, it is natural to start wondering, what could go wrong? With a vast array of possible statements and operations, of course, a malicious attacker could have a wide selection of tools that could be used to damage databases, stored data, and applications using such data, in different ways. One simple instruction, such as DROP DATABASE <database name>, for example, could entirely compromise the functionality of an application that relies on databases to query data or even authentication data (that is, usernames and passwords).

For this reason, SQL code is never, at least directly, conceived to be interacted with inside an application. Instead, it is the application...

Weaknesses in the use of SQL

The main problem that leads to code injection – and obviously SQL injection too – is the way programming (and query) languages themselves inherently work.

Since commands are just strings of characters that are interpreted as code, and user input is made of text, we could, in principle, insert code syntax within user input. If not correctly validated and simply accepted without us applying any control, this injected code could result in the execution of arbitrary commands that have been manually inserted by a malicious user.

This is because a naïve string reader does not make any distinction between text and code as it is essentially binary data coded as text – the same is done from the standpoint of a computer program or an application. Usually, in order to inject specific instructions or code objects, specific characters are used to trick the parser – the software component in charge of reading the text input &...

SQL for SQL injection – a recap

This chapter served as an introduction to, in a general sense, the basic topics behind SQL injection. The following is a summary of the main points to focus on in this first chapter so that you can memorize the main concepts we have mentioned thus far:

  • SQL injection is a software weakness of SQL, a specific language and engine for interacting with database structures based on the relational model that treats data in a structured format using tables. It can allow malicious users to execute arbitrary commands, thus interacting with the database of an application in a way that is not originally intended by the application SQL injection can be used by attackers in many ways:
  • SQL provides a simple language that can be used to perform operations on relational databases. SQL processes statements with simple structures in most cases. Some SQL statements are as follows:

    -SELECT, to extract information from the...

Summary

So, to sum this up, let's take a look at what we covered in this chapter. SQL works using relationships, and it accepts a wide range of commands. We've also seen that, in general, some of these can be abused by malicious attackers. For this reason, we should keep security in mind when designing and developing applications that rely on databases. This chapter gave you a taste of the main security issues and possible solutions.

The next chapter will focus on what a malicious attacker can do by taking advantage of SQL capabilities. We will provide examples of this, all while dealing with aspects related to non-relational databases.

This first chapter, despite being more abstract, is essential for focusing on the main concepts behind SQL injection. Of course, this just an introduction to what we are going to cover throughout this book, but with more concrete examples. Be sure to keep these topics in mind when dealing with the practical aspects of SQL injection.

...

Questions

  1. What is a database?
  2. What is a relational database?
  3. What is SQL? What is it used for?
  4. Can you name some examples of SQL implementations in terms of database systems?
  5. What does SELECT mean in SQL? Why is it so important?
  6. Can you describe SQL injection in your own words?
Left arrow icon

Page 1 of 9

Right arrow icon
Download code icon Download Code

Key benefits

  • Understand SQL injection and its effects on websites and other systems
  • Get hands-on with SQL injection using both manual and automated tools
  • Explore practical tips for various attack and defense strategies relating to SQL injection

Description

SQL injection (SQLi) is probably the most infamous attack that can be unleashed against applications on the internet. SQL Injection Strategies is an end-to-end guide for beginners looking to learn how to perform SQL injection and test the security of web applications, websites, or databases, using both manual and automated techniques. The book serves as both a theoretical and practical guide to take you through the important aspects of SQL injection, both from an attack and a defense perspective. You’ll start with a thorough introduction to SQL injection and its impact on websites and systems. Later, the book features steps to configure a virtual environment, so you can try SQL injection techniques safely on your own computer. These tests can be performed not only on web applications but also on web services and mobile applications that can be used for managing IoT environments. Tools such as sqlmap and others are then covered, helping you understand how to use them effectively to perform SQL injection attacks. By the end of this book, you will be well-versed with SQL injection, from both the attack and defense perspective.

What you will learn

Focus on how to defend against SQL injection attacks Understand web application security Get up and running with a variety of SQL injection concepts Become well-versed with different SQL injection scenarios Discover SQL injection manual attack techniques Delve into SQL injection automated techniques

Product Details

Country selected
Publication date : Jul 15, 2020
Length 210 pages
Edition : 1st Edition
Language : English
ISBN-13 : 9781839215643
Category :
Cloud & Networking
Concepts :
Network Security

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Buy Now

Product Details

Publication date : Jul 15, 2020
Length 210 pages
Edition : 1st Edition
Language : English
ISBN-13 : 9781839215643
Category :
Cloud & Networking
Concepts :
Network Security

Table of Contents

11 Chapters
Preface Chevron down icon Chevron up icon
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Code in Action
Download the color images
Conventions used
Get in touch
Reviews
1. Section 1: (No)SQL Injection in Theory Chevron down icon Chevron up icon
Section 1: (No)SQL Injection in Theory
2. Chapter 1: Structured Query Language for SQL Injection Chevron down icon Chevron up icon
Chapter 1: Structured Query Language for SQL Injection
Technical requirements
An overview of SQL – a relational query language
The syntax and logic of SQL
Security implications of SQL
Weaknesses in the use of SQL
SQL for SQL injection – a recap
Summary
Questions
3. Chapter 2: Manipulating SQL – Exploiting SQL Injection Chevron down icon Chevron up icon
Chapter 2: Manipulating SQL – Exploiting SQL Injection
Technical requirements
Exploitable SQL commands and syntax
Common SQL injection commands and manipulation
Not only SQL injection – non-relational repositories
The injection vulnerability in non-relational repositories
Wrapping up – (No-)SQL injection in theory
Summary
Questions
4. Section 2: SQL Injection in Practice Chevron down icon Chevron up icon
Section 2: SQL Injection in Practice
5. Chapter 3: Setting Up the Environment Chevron down icon Chevron up icon
Chapter 3: Setting Up the Environment
Technical requirements
Understanding the practical approach and introducing the main tools
Overview of the OWASP BWA project
The attacker – configuring your client machine
The target – configuring your target web applications
The target – configuring your target-emulated devices
Operating the lab
Summary
Questions
6. Chapter 4: Attacking Web, Mobile, and IoT Applications Chevron down icon Chevron up icon
Chapter 4: Attacking Web, Mobile, and IoT Applications
Technical requirements
Attacking traditional web applications– manual techniques
Attacking traditional web applications – automated techniques
Attacking mobile targets
Attacking IoT targets
Summary
Questions
Further reading
7. Chapter 5: Preventing SQL Injection with Defensive Solutions Chevron down icon Chevron up icon
Chapter 5: Preventing SQL Injection with Defensive Solutions
Technical requirements
Understanding general weaknesses and SQL injection enablers
Treating user input
Sanitization and input control
Defending against SQL injection – code-level defenses
Defending against SQL injection – platform-level defenses
Summary
Questions
8. Chapter 6: Putting It All Together Chevron down icon Chevron up icon
Chapter 6: Putting It All Together
SQL injection – theory in perspective
SQL injection – practice in perspective
SQL injection and security implications – final comments
Summary
Questions
9. Assessments Chevron down icon Chevron up icon
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
10. Other Books You May Enjoy Chevron down icon Chevron up icon
Other Books You May Enjoy
Leave a review - let other readers know what you think

Recommendations for you

Left arrow icon
Solutions Architect's Handbook
Solutions Architect's Handbook
Read more
Mar 2024 578 pages
ebook
eBook
  • ebook eBook $47.99
  • print Print $44.98
$47.99
$44.98 $59.99
Mastering PowerShell Scripting
Mastering PowerShell Scripting
Read more
May 2024 826 pages
ebook
eBook
  • ebook eBook $35.99
  • print Print $44.99
$35.99
$44.99
Linux Kernel Programming
Linux Kernel Programming
Read more
Feb 2024 826 pages
ebook
eBook
  • ebook eBook $39.99
  • print Print $49.99
$39.99
$49.99
Docker and Kubernetes for ASP.NET Development
Docker and Kubernetes for ASP.NET Development
Read more
Jun 2024 6h 43m
video Video
$89.99
Learn Ansible
Learn Ansible
Read more
May 2024 414 pages
ebook
eBook
  • ebook eBook $35.99
  • print Print $44.99
$35.99
$44.99
Microsoft Azure Fundamentals Certification and Beyond
Microsoft Azure Fundamentals Certification and Beyond
Read more
Jan 2024 284 pages
ebook
eBook
  • ebook eBook $35.99
  • print Print $44.99
$35.99
$44.99
Microsoft Azure Administrator (AZ-104)
Microsoft Azure Administrator (AZ-104)
Read more
May 2024 27h 23m
video Video
$249.99
Developing Solutions for Microsoft Azure AZ-204 Exam Guide
Developing Solutions for Microsoft Azure AZ-204 Exam Guide
Read more
May 2024 428 pages
ebook
eBook
  • ebook eBook $35.99
  • print Print $44.99
$35.99
$44.99
MS-102: Microsoft 365 Administrator
MS-102: Microsoft 365 Administrator
Read more
May 2024 9h 50m
video Video
$249.99
Developing Solutions for Microsoft Azure (AZ-204)
Developing Solutions for Microsoft Azure (AZ-204)
Read more
May 2024 14h 26m
video Video
$249.99
Right arrow icon

Customer reviews

Top Reviews
  • Top Reviews
  • Most Recent
Rating distribution
Empty star icon Empty star icon Empty star icon Empty star icon Empty star icon 0
(0 Ratings)
5 star 0%
4 star 0%
3 star 0%
2 star 0%
1 star 0%
Top Reviews
  • Top Reviews
  • Most Recent
No reviews found

People who bought this also bought

Left arrow icon
SQL Injection Strategies
SQL Injection Strategies
Read more
Jul 2020 210 pages
ebook
eBook
  • ebook eBook $9.99
  • print Print $38.99
$9.99 $26.99
$38.99
Kubernetes – An Enterprise Guide
Kubernetes – An Enterprise Guide
Read more
Dec 2021 578 pages
ebook
eBook
  • ebook eBook $9.99
  • print Print $48.99
$9.99 $39.99
$48.99
Mastering Ansible, 4th Edition
Mastering Ansible, 4th Edition
Read more
Dec 2021 540 pages
ebook
eBook
  • ebook eBook $9.99
  • print Print $43.99
$9.99 $35.99
$43.99
Enterprise DevOps for Architects
Enterprise DevOps for Architects
Read more
Nov 2021 288 pages
Full star icon 4
ebook
eBook
  • ebook eBook $9.99
  • print Print $54.99
$9.99 $43.99
$54.99
Mastering Ubuntu Server
Mastering Ubuntu Server
Read more
Sep 2022 584 pages
Full star icon 5
ebook
eBook
  • ebook eBook $9.99
  • print Print $54.99
$9.99 $43.99
$54.99
Ansible for Real-Life Automation
Ansible for Real-Life Automation
Read more
Sep 2022 480 pages
ebook
eBook
  • ebook eBook $9.99
  • print Print $41.99
$9.99 $33.99
$41.99
Right arrow icon

About the 4 authors

Left arrow icon
Profile icon Gabriele Lombari
Gabriele Lombari is a cybersecurity professional and enthusiast. During his professional career, he has had the opportunity to participate in numerous projects involving different aspects, concerning both strategic and technical issues, with a particular focus on the power and utilities industry. The activities he has made a contribution to have largely involved application security, architecture security, and infrastructure security. He graduated cum laude in computer science. During his free time, he is passionate about technology, photography, and loves to consolidate his knowledge of topics related to security issues.
Read more
See other products by Gabriele Lombari
Profile icon Gabriele Lombari
LinkedIn
Gabriele Lombari is a cybersecurity professional and enthusiast. During his professional career, he has had the opportunity to participate in numerous projects involving different aspects, concerning both strategic and technical issues, with a particular focus on the power and utilities industry. The activities he has made a contribution to have largely involved application security, architecture security, and infrastructure security. He graduated cum laude in computer science. During his free time, he is passionate about technology, photography, and loves to consolidate his knowledge of topics related to security issues.
Read more
See other products by Gabriele Lombari
Profile icon Edoardo Caselli
Edoardo Caselli is a security enthusiast in Rome, Italy. Ever since his childhood, he has always been interested in information security in all of its aspects, ranging from penetration testing to computer forensics. Edoardo works as a security engineer, putting into practice most aspects in the world of information security, both from a technical and a strategic perspective. He is a master's graduate in computer science engineering, with a focus on cybersecurity, and wrote his thesis on representation models for vulnerabilities in computer networks. Edoardo is also a supporter of the Electronic Frontier Foundation, which advocates free speech and civil rights on online platforms and on the internet.
Read more
See other products by Edoardo Caselli
Profile icon Ettore Galluccio
LinkedIn
Ettore Galluccio has 20+ years' experience in secure system design and cyber risk management and possesses wide-ranging expertise in the defense industry, with a focus on leading high-impact cyber transformation and critical infrastructure programs. Ettore has headed up cybersecurity teams for numerous companies, working on a variety of services, including threat management, secure system life cycle design and implementation, and common criteria certification and cybersecurity program management. Ettore has also directed the EY Cybersecurity Master in collaboration with CINI (National Interuniversity Consortium for Computer Science) and holds various international certifications in information security. His true passion is working on ethical hacking and attack models.
Read more
See other products by Ettore Galluccio
Right arrow icon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.