lecture: Exploiting esoteric SQL injection vulnerabilities
Although SQL injection vulnerabilities are the most common web application vulnerabilities, many tools and penetration testers still miss them.
This presentation will show how some esoteric SQL injection vulnerabilities, that might seem impossible to exploit, can indeed be pwned.
In spite of being at #1 in the OWASP Top 10 "list of vulnerabilities" since 2010, and posing an extreme risk — SQL injection are still the most common vulnerability identified in web applications, no matter which language or framework is used.
In this presentation we will explain the basics behind SQL injection vulnerabilities and will then look at a few special examples where exploits were discovered on systems thought to be protected or not possible to be exploited.
We will go through some live hacks in order to extract information from the backend database by cleverly stimulating vulnerable web applications to extract one byte of data at a time.
As a bonus point, we will show how even the best web application vulnerability scanners will miss such SQL injection vulnerabilities, that we will eventually exploit.
Start time: 14:30