This paper will not cover basic SQL syntax or SQL Injection. It is assumed that the reader has a
strong understanding of these topics already. This paper will focus on advanced techniques that
can be used in an attack on a (web) application utilizing Microsoft SQL Server as a backend.
These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve
the database content from behind a firewall and penetrate the internal network. This paper is
meant to educate security professionals of the potential devastating effects SQL Injection could
have on an organization.
Web applications are becoming more secure because of the growing awareness of attacks such
as SQL Injection. However, in large and complex applications, a single oversight can result in the
compromise of the entire system. Specifically, many developers and administrators of (web)
applications may have a false sense of security because they use stored procedures or mask an
error messages returned to the browser. This may lead them to believe that they can not be
compromised by this vulnerability.
While we discuss Microsoft SQL Server in this paper, this is no way indicative that Microsoft SQL
Subscribe to:
Post Comments (Atom)
0 Comments:
Post a Comment