SQL Injection

Click here to access demo code for this presentation. These scripts give you an opportunity to play with a site vulnerable to SQL injection

The source code is licensed under the terms offered by the GPL.

References

This material was originally part of a blog series on SQL injection I did. That series got turned into a chapter of Tribal SQL.

Simple Talk later published my SQL injection chapter as an article, so you can read it for free.

Interesting Links

For more resources on SQL injection, I recommend checking out the following:

• Every year, the Open Web Application Security Project (OWASP) publishes a top 10 list for website vulnerabilities. Every year, injection attacks end up as #1 or #2 on the list.
• In a 2011 Imperva study, 83% of successful data breaches involved SQL injection.
• Listing the set of companies and organizations with high-profile SQL injection attacks would take too long. Fortunately, the Code Curmudgeon did it for me with his SQL Injection Hall of Shame. I laughed; I cried; I hoped my employers weren't on the list.
• The first time I gave this talk, I had a special Sony edition based on their numerous breaches during the year 2011. That's seven separate SQL injection attacks, not to mention the most recent one.
• HTTP Parameter Pollution is one of my favorite attack vectors. In .NET on IIS, multiple querystring parameters turn into a comma-separated list, which makes attackers happy.
• Kim Tripp on how to prevent SQL injection. Tripp also has a lot more detail on EXEC versus using sp_executesql. To be honest, I prefer Aaron Bertrand's argument, using sp_executesql instead of EXEC. My advice is, if you are a smart and as good as Kim Tripp, use EXEC; otherwise, use sp_executesql.
• Microsoft's Conor Cunningham notes Microsoft's official guidance on avoiding SQL injection attacks. It's good reading.
• Bobby Tables is a website dedicated to writing injection-free application code in the language of your choice.

Tools

• sqlmap is my favorite SQL injection tool. You can automate it, tie it into Metasploit, and it's a ridiculously smart tool.
• One of the other popular tools in this realm is Havij. Havij is great because of its UI. I see it as a tool you can use to play around with a site (given permission!) and to learn more about SQL injection, whereas sqlmap is a tool you can use to scale out testing across your environment.

Books and Other Resources

• Tribal SQL. My chapter is the only one on SQL injection, but there are other chapters on other interesting topics written by outstanding people.
• Securing SQL Server by Denny Cherry. I read the first edition of his book shortly after I wrote the original blog series, and much of his work on SQL injection coincides with mine. Check it out for another take on the topic.
• SQL Injection Attacks and Defense by Justin Clarke, et al. Get this book if you want a more detailed look into the topic.
• OWASP Top 10 for .NET Developers by Troy Hunt. It's a few years old now, but it is a fantastic work and is a free ebook. Also check out his Pluralsight video on the topic. Troy has a number of Pluralsight videos and I recommend every one of them.