Over the past several years, hacktivists, criminals, and people just "out for lulz" have managed to find sensitive data owned by companies like Sony, Yahoo, and Last.fm, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.
SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.
This talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), but the lessons will apply to all web systems everywhere.
The deck for this presentation is available in two formats. You can get it in either Power Point 2010 or PDF format.
The Power Point version includes additional notes (and stage directions).
The slides are licensed under Creative Commons Attribution-ShareAlike.
The demonstration code is available in .zip format.
The .zip file includes:
The source code is licensed under the terms offered by the GPL. The slides are licensed under Creative Commons Attribution-ShareAlike.
Obligatory Warning: The entire purpose of this demonstration is to show what happens when you have unsafe code. Please do not put this code on a production machine or a device with a direct connection to the Internet.
