Building the bridge between the web app and the OS: GUI ...

Building the bridge between the web app and the OS:

GUI access through SQL Injection

Alberto Revelli Portcullis Computer Security

ayr@portcullis- r00t@

OWASP-Day II Universit? "La Sapienza", Roma 31st, March 2008

Copyright ? 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation



Agenda

Context Evading WAF/IPS Escalating privileges Uploading executables DNS-fu GUI access

OWASP Day II ? 31st , March 2008

OWASP-Italy

About me...

Senior Consultant for Portcullis Computer Security Technical Director of Italian Chapter of OWASP Co-author of the OWASP Testing Guide 2.0 Developer of sqlninja -

OWASP Day II ? 31st , March 2008

OWASP-Italy

SQL Injection: the base concept

Client

Web Application



Back-end Database

SELECT name,address,mail,creditcard FROM users WHERE id='1'

OWASP Day II ? 31st , March 2008

OWASP-Italy

SQL Injection: the base concept

Client



Web Application

The application does not filter input parameters!!

Back-end Database

SELECT name,password,creditcard FROM users WHERE id=[SQL_CODE]

OWASP Day II ? 31st , March 2008

OWASP-Italy

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.