Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Some updates to the Oracle default password list"] [Next entry: "Frank has a review of Bruce Schneier book "Beyond Fear""]

Nice article on SQL Injection

I found a nice introductory article on SQL Injection on the pen-test mailing list tonight. The paper was written to document the experiences of the author in penetrating a customers web based application.

As the author says there are no ground breaking discoveries in the paper but it does talk about real examples and experiences and does cover the subject quite well as an overview and introduction. The author says he gave this paper as a presentation to the customer involved and their reaction was well worth it.

The paper is based around IIS, ASP.NET and MS SQL Server but that doesn't really matter in this case as the paper is worth reading for the background and the techniques employed. The paper is called "SQL Injection Attacks by Example".

This paper is well written and gives a good example of the thought processes involved in compromising a system using SQL Injection, Steve then goes on to suggest how an attack could be taken further and also talks about how to protect against SQL Injection attacks. As I said this is a very good introduction paper to the technique and well worth reading.