New Techniques in SQLi Obfuscation: SQL never before used in SQLi

Nick Galbreath

First presented Friday July 27, 2012 at DEFCON 20, Las Vegas, NV. At the RIO 4:20pm

{{ “/assets/2012_defcon_t14” | videojs }}

Tweet from Mike Arpaia

Mike Arpaia Tweet

Original abstract:

SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense.