Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CAST EC-Council
EC-Council
CAST CENTER FOR ADVANCEDSECURITY TRAINING
Make The Difference
CAST 619Advanced SQLi Attacks and Countermeasures
CAST EC-Council CAST EC-CouncilCAST EC-Council
The rapidly evolving information security landscape now requires professionals to stay up to date on the latest security technologies, threats and remediation strategies. CAST was created to address the need for quality advanced technical training for information security professionals who aspire to acquire the skill sets required for their job functions. CAST courses are advanced and highly technical training programs co-developed by EC-Council and well-respected industry practitioners or subject matter experts. CAST aims to provide specialized training programs that will cover key information security domains, at an advanced level.
About EC-CouncilCenter of AdvancedSecurity Training(CAST)
CAST EC-Council CAST EC-CouncilCAST EC-Council
SQL injection is the most commonly used attack to break the security of a web application. According to NTT’s Global Threat Intelligence Report (GTIR), cost for a 'minor' SQL injection attack exceeds $196,000. Database usage is on the rise, as well as the applications that interconnect databases, which makes SQL injection one of the top concern for IT security professionals.
SQL injection takes advantage of non-validated input vulnerabilities and injects SQL commands through a web application that are executed in a back-end database. Attackers use this technique to either gain unauthorized access to a database or to retrieve information directly from the database. Attackers can use the SQLi attacks to steal sensitive data, spoof identity, tamper database records, reveal database structure, delete entire DB, execute system commands, elevate privileges and compromise the whole system, perform DoS attack on the server, etc.
Advanced SQLi Attacks and Countermeasures course provides in-depth knowledge on di�erent types of SQL injection techniques, how to detect vulnerabilities, automated SQL injection tools and various countermeasures to protect web application from attacks.
Advanced SQLi Attacks andCountermeasures
Course Description
CAST EC-Council CAST EC-Council
After completing this course, students will learn:
CAST EC-Council
01
02
03
04
Fundamentals of how web applications, and server-side technologies work
Working of SQL injection attacks
SQL injection attack techniques, including error based, and blind SQL injections
Union exploitation technique
05 Di�erent types of blind SQL injection attacks
What Will You Learn?
CAST EC-Council CAST EC-CouncilCAST EC-Council
11
12
13
14
15
Compromise the network using SQL injection
10 Exploiting authentication vulnerabilities and launching Cross-Site Scripting (XSS) attacks
Automated SQL Injection tools
SQL injection techniques to bypass �lter, WAF, and IDS
How to defend against SQL injection attacks
Investigating and handling SQL attack incidents
06
07
08
09
How to detect SQL injection vulnerability
Testing for SQL injection and black-box pen testing techniques
Automated SQL injection vulnerability scanners
How to enumerate databases
CAST EC-Council CAST EC-CouncilCAST EC-Council
Duration
3 days (9:00 – 5:00)
• Databaseadministrators
• Webappdevelopers
• Securityauditors
• Securityprofessionals
Who Should Attend
CAST EC-Council CAST EC-Council
Module 01: Introduction to SQL Injection Attacks
CAST EC-Council
Course Outline
• WhatIsSQLInjection?
• WhyBotheraboutSQLInjection?
• SQLInjectionAttacks
• HowWebApplicationsWork
• Server-sideTechnologies
• HTTPPostRequest
• Example1:NormalSQLQuery
• Example1:SQLInjectionQuery
• Example1:CodeAnalysis
• Example2:BadProductList.aspx
• Example2:AttackAnalysis
• Example3:UpdatingTable
• Example4:AddingNewRecords
• Example5:IdentifyingtheTableName
• Example6:DeletingaTable
• SQLInjectionAttackCategories
• GettingPrivateInfo
• TypesofSQLInjection
• ErrorBasedSQLInjection
• ErrorBasedSQLInjectionTechniques
• BlindSQLInjection
• NoErrorMessagesReturned
• BlindSQLInjection:WAITFORDELAYYES
orNOResponse
• BlindSQLInjection:BooleanExploitation
technique
CAST EC-Council CAST EC-Council
• InformationGathering
• ExtractingInformationthroughErrorMessages
• UnderstandingSQLQuery
• SQLInjectionVulnerabilityDetection
• SQLInjectionDetection
• SQLInjectionErrorMessages
• SQLInjectionAttackCharacters
• AdditionalMethodstoDetectSQLInjection
• SQLInjectionBlackBoxPenTesting
• TestingforSQLInjection
• CodeReviewtoDetectSQLInjectionVulnerabilities
• PerformErrorbasedSQLinjection
• ErrorBasedExploitationTechnique
• UnionExploitationTechnique
• PerformErrorbasedSQLInjection:UsingUnionSQLInjection
• BypassWebsiteLoginsUsingSQLInjection
• PerformBlindSQLinjection
• BlindSQLInjection–Exploitation(MySQL)
• BlindSQLInjection-ExtractDatabaseUser
• BlindSQLInjection-ExtractDatabaseName
• BlindSQLInjection-ExtractColumnName
• BlindSQLInjection-ExtractDatafromROWS
• ExploitingSecond-OrderSQLInjection
• Second-OrderSQLInjection:Scenario
• FindingSecond-OrderVulnerabilities
• FindingSecond-OrderVulnerabilities:AutomatedScanners
• StepstoIdentifySecond-OrderSQLInjectionVulnerabilities
• ExploitingClient-SideSQLInjection
• AttackingClient-SideDatabases
• UsingHybridAttacks
• LeveragingCapturedData
• CreatingCross-SiteScripting
• RunningOperatingSystemCommandsonOracle
• ExploitingAuthenticatedVulnerabilities
• EnumerateData
• Database,Table,andColumnEnumeration
• AdvancedEnumeration
• CreatingDatabaseAccounts
• PasswordGrabbing
• GrabbingSQLServerHashes
• ExtractingSQLHashes(InaSingleStatement)
• TransferDatabasetoAttacker’sMachine
• InteractwiththeOS
• InteractingwiththeOperatingSystem
• InteractingwiththeFileSystem
• CompromisetheNetwork
• NetworkReconnaissanceUsingSQLInjection
• NetworkReconnaissanceFullQuery
• AutomatedSQLInjectionTools
Module 02: SQL Injection Attack Methodology
CAST EC-Council CAST EC-Council
Module 03: Bypassing Filter, WAF, and IDS
CAST EC-Council
• EvadingInputFilters
• UsingCaseVariation
• UsingSQLComments
• UsingURLEncoding
• UsingDynamicQuery
Execution
• UsingNullBytes
• UsingNestingStripped
Expressions
• ExploitingTruncation
• UsingNon-StandardEntry
Points
• IntroductiontoWAF
• MethodstoBypassWAF
• BypassingWAF:SQL
Injection-Normalization
• BypassingWAF:SQL
Injection-HTTPParameter
Pollution(HPP)
• BypassingWAF:SQL
Injection–HTTPParameter
Fragmentation(HPF)
• BypassingWAF:BlindSQL
Injection
• BypassingWAF:SQL
Injection–Signature
Bypass
• PHPIDS(0.6.1.1)–default
rules
• Mod_Security(2.5.9)–
defaultrules
• EvadingIDS
• TypesofSignatureEvasion
Techniques
• EvasionTechnique:
SophisticatedMatches
• EvasionTechnique:Hex
Encoding
• EvasionTechnique:
ManipulatingWhite
Spaces
• EvasionTechnique:In-line
Comment
• EvasionTechnique:Char
Encoding
• EvasionTechnique:String
Concatenation
• EvasionTechnique:
ObfuscatedCodes
CAST EC-Council CAST EC-CouncilCAST EC-Council
Module 04:SQL Injection Defenses and Incident Handling
• HowtoDefendAgainstSQLInjectionAttacks
• SQLInjectionDetectionTools
• InvestigatingandHandlingSQLAttackIncidents
• InvestigatingaSuspectedSQLInjectionAttack
• AnalyzingDigitalArtifacts
• ContainingtheIncident
• AssessingtheDataInvolved
• DeterminingtheActionsPerformedbytheAttackerontheSystem
• RecoveringfromaSQLInjectionAttack
• ReducingtheAttackSurface
CAST EC-Council CAST EC-CouncilCAST EC-Council
Master Trainer:
Haja MohideenVP- TECHNOLOGY, EC- COUNCIL
Mr. Haja Mohideen is the VP- Technology andCo-Founder of EC-Council. He manages thecerti�cations and training programs for EC-Council,and leads the product development team. He isknown worldwide as the creator of the popularEC-Council certi�cation programs Certi�ed EthicalHacker (C|EH), Computer Hacking ForensicsInvestigator (CHFI), EC-Council Certi�ed SystemAnalyst / Licensed Penetration Tester (ECSA/LPT)and EC-Council Certi�ed Secure Programmer(ECSP), among others.
Haja has 17 years of experience specializing in thedevelopment, support and project management ofPC software and hardware. He has trained variousFortune 500 companies as well as US governmentagencies. He is also the Master Trainer for EC-Councilcourses, and his training is often sought afterglobally. He has led training in many countriesincluding Greece, India, USA, Indonesia, Singapore,England, Mexico, amongst others. Haja is also oneof few who are quali�ed to conduct train the trainersessions for EC-Council courses.
Haja holds a Masters Degree in Software Engineeringand has numerous industry-wide IT certi�cationsfrom Microsoft, IBM, Cisco, Motorola, 3COM, Adobe,Intel and many others. He carries over 90 vendorcerti�cations.
CAST EC-Council
EC-Council