SQL injection - Attacks and defense by Justin Clarke et al. - Book review

This book was published by Syngress in 2009. It was the book of the year in 2009 for Richard Bejtlich in taosecurity. It has ten authors, the main one is Justin Clarke.

In my eyes, this is an obliged reference book for everyone testing web applications using a database (most of them, BTW) today (and in the last 10 years!)

The book is broken down into 10 chapters - Let's go one by one:

Chapter 1 - What is SQL injection?
A generic introduction to the topic of the book. A little bit confusing chapter. I would recommend to re-read it at the end. The reader will then have more than one eureka moment.

Chapter 2 - Testing for SQL injection
This chapter wears the "hacker's hat" and shows how to find SQL injection samples in a web application connected to a database. This is a nice intro to the rest of the book. It provides useful tips about displayed SQL errors in MS SQL server, MySQL and Oracle. One of the coolest points of this book is the collection of tools that most of the chapters offer at their end. This is also the case for chapter 2. Worth mentioning, mainly because it is a free tool (and a very good one!) is the Paros Proxy.

Chapter 3 - Reviewing code for SQL injection
This chapter wears the "developer's hat" and shows how to follow user data (the use the nice term of "tainted data") through lines of PHP, Java and C# code. The end of the chapter mentions some source code analysis tools like YASCA or the MS Source Code Analyzer for SQL Injection.

Chapter 4 - Exploiting SQL injection
These pages show the deep foundations of this art, with steps such as identifying the database, extracting data through UNION statements, using conditional statements, enumerating the database schema, escalating privileges, stealing password hashes, out-of-band communication and finally, they present some tools to automate SQL injection exploitation such as sqlmap and bobcat.

Chapter 5 - Blind SQL injection exploitation
This chapter wears the "advance hacker/detective's hat". Using time-based, binary search, bit-by-bit inference and response=based techniques, they present ways to infer knowledge out of the interaction with a database. They also mention some tools such as Absinthe, Sqlninja and Squeeza.

Chapter 6 - Exploiting the operating system
Normally a database is an application software residing on top of an operating system. In this chapter, they keep on wearing the "advanced hacker/detective's hat" and present ways to read and write files and execute OS commands.

Chapter 7 - Advanced topics
Richard Bretjlich considers funny that in this "advanced & technical" book the authors have inserted a chapter for "even more" advanced topics. I agree with him. Whatever our views are, this chapter describes ways to evade input filters, to exploit second-order SQL injection and to use hybrid attacks.

Chapter 8 - Code-level defenses
This is the chapter that "developers" should read without any doubt. The key to avoid SQL injection attacks is to completely code the access to a database based on customised parameters that are out of the users' reach. The authors propose a series of recommendations to validate input and to encode output.

Chapter 9 - Platform-level defenses
Together with excellent coding practices, there are some measures, related to the operating platform, that we can take to avoiod SQL injection. These are, for example, using web application firewalls, web server filters, IDSs and securing the database itself.

Chapter 10 - This chapter is the chapter every "white hat hacker" should have at hand when assessing a web app connected to a database. It is a great reference of SQL commands and SQL injection tweaks for SQL Server, MySQL, Oracle, PostgreSQL and even DB2. If you need to select only one chapter, focus on this
one.

You can also read Richard's reference to this book in Amazon.

All in all, a book worth its price, keep it as a web app pen test reference book! Thanks to the authors for this nice work. And also a special mention to the one who merged and composed the input from 10 different authors into a unique book.

Happy reading!