Cover image for SQL Injection Defenses

Book Description

This Short Cut introduces you to how SQL injection vulnerabilities work, what makes applications vulnerable, and how to protect them. It helps you find your vulnerabilities with analysis and testing tools and describes simple approaches for fixing them in the most popular web-programming languages.

This Short Cut also helps you protect your live applications by describing how to monitor for and block attacks before your data is stolen.

Hacking is an increasingly criminal enterprise, and web applications are an attractive path to identity theft. If the applications you build, manage, or guard are a path to sensitive data, you must protect your applications and their users from this growing threat.

Table of Contents

  1. SQL Injection Defenses
    1. SQL Injection Defenses
    2. Why Should You Care?
      1. Data at Risk
    3. How Applications Work
      1. How Web Applications Work
      2. How SQL Queries Work
      3. How Web Applications Receive Data
    4. Attacks
      1. Motivations
      2. What Makes Attacks Possible?
      3. How Attacks Work
        1. Step 1: Reconnaissance
        2. Step 2: Probing for vulnerabilities
        3. Step 3: Attack
      4. Types of Attacks
        1. Full-view SQL injection attacks
        2. Blind SQL Injection Attacks
        3. Autonomous SQL injection attacks
    5. Defenses
      1. Defense #1: Code Securely
        1. Educate your developers
        2. Follow best practices
        3. Secure coding with Perl
        4. Secure coding with PHP
        5. Secure coding with Java
        6. Secure coding with VB.NET
        7. Secure coding with Ruby on Rails
      2. Defense #2: Monitor for Attacks
        1. Network IDS
          1. Example custom signature in Snort
        2. Responding to IDS alerts
        3. Other forms of IDS
      3. Defense #3: Block Attacks
        1. Application firewalls
          1. Web-application firewalls
      4. Defense #4: Probe for Vulnerabilities
        1. Test for flaws
        2. Static analysis: scan your source code
        3. Black-box testing: scan your live web applications
        4. Manual penetration testing
    6. Conclusion and Bottom Line
    7. About the Author