2012-07-27

New Techniques in SQLi Obfuscation: SQL never before used in SQLi

First presented Friday July 27, 2012 at DEFCON 20, Las Vegas,
NV. At the RIO 4:20pm



Tweet from Mike Arpaia

Mike Arpaia Tweet


Original abstract:

SQLi remains a popular sport in the security arms-race. However, after
analysis of hundreds of thousands of real world SQLi attacks, output
from SQLi scanners, published reports, analysis of WAF source code,
and database vendor documentation, both SQLi attackers and defenders
have missed a few opportunities. This talk will iterate through the
dark corners of SQL for use in new obfuscated attacks, and show why
they are problematic for regular-expression based WAFs. This will
point the way for new directions in SQLi research for both offense and
defense.