New Techniques in SQLi Obfuscation
After analysis of tens of thousands of real world SQLi attacks, both WAFs and attackers have missed a number of the finer points of SQL. This presentation was first given at DEFCON 20 in Las Vegas, NV
First presented Friday July 27, 2012 at DEFCON 20, Las Vegas, NV, at the RIO on 4:20pm.
Original abstract:
SQLi remains a popular sport in the security arms-race. However, after analysis of hundreds of thousands of real world SQLi attacks, output from SQLi scanners, published reports, analysis of WAF source code, and database vendor documentation, both SQLi attackers and defenders have missed a few opportunities. This talk will iterate through the dark corners of SQL for use in new obfuscated attacks, and show why they are problematic for regular-expression based WAFs. This will point the way for new directions in SQLi research for both offense and defense.