Customer Reviews

SQL Injection Attacks and Defense

5 star:		(11)
4 star:		(0)
3 star:		(1)
2 star:		(0)
1 star:		(0)

 

 

I'm giving "SQL Injection Attacks and Defenses" five stars for a few reasons.

First, the book is extremely comprehensive, covering everything from basic "What is SQL Injection?" information to advanced exploit development and static analysis tools (including open source tools).

Second, this book was obviously written very recently. The content is fresh and cutting-edge.

Finally, the book is advanced. Though the reader doesn't necessarily need to know much about SQL Injection in order to start reading it, the book covers as much as anyone would need to know about the subject.

SQL Injection Attacks and Defenses is a well written, comprehensive book that can be extremely useful to security professionals, developers, and database administrators interested in writing or maintaining secure code. It could easily be called the "bible" of SQL Injection.

I just finished reviewing The Web Application Hacker's Handbook, calling it a "Serious candidate for Best Book Bejtlich Read
2009." SQL Injection Attacks and Defense (SIAAD) is another serious contender for BBBR09. In fact, I recommend reading TWAHH first because it is a more comprehensive overview of Web application security. Next, read SIAAD as the definitive treatise on SQL injection. Syngress does not have a good track record when it comes to books with multiple authors -- SIAAD has ten! -- but SIAAD is clearly a winner.

SIAAD is very detailed, with code samples to demonstrate the author's attack patterns. They cover multiple programming languages, multiple databases, and flood the book with examples. It's clear the authors utilize these methods for their daily work. Just about every situation is addressed, like returning database query results using DNS, HTTP, database connections, and even email. I admit I laughed when reading that chapter 7 offered "advanced topics." I thought the first 6 chapters were advanced enough, given the depth of the material!

I had no real issues with this book, but it's important to realize you won't read about attacks against PostgreSQL, for example. Other reviewers noted this as well. However, the authors do concentrate on the methodology and offensive mindset needed to attack any SQL database. I believe dedicated readers could apply the lessons of SIAAD to products beyond MS-SQL, Oracle, and MySQL.

Great work -- this is the sort of "niche book" that should be referenced by anyone else who wants to cover Web-related attacks.

This is a book that I can heartily endorse. My bailiwick, and probably yours too if you are looking here, is data management and database administration. And if you function within that realm, you should be familiar with SQL injection attacks and how to defend them. Not surprisingly, given its title, that is just what this book provides.

SQL injection is quite dangerous, and yet is commonly misunderstood by many. This book, which is devoted exclusively to the SQL injection threat and how to defend against it, provides the knowledge and tactics you will need to understand and combat SQL injection attacks.

From the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures, the book is a SQL injection tour de force. The book is up-to-date and covers unique, publicly unavailable information. One quick example of a a major benefit of this book: you can make the code level and platform level defenses offered in Chapters 8 and 9 can available to the developers and system administrators responsible for Internet development at your shop... which should minimize the risk of SQL injection attacks.

If you are a DBA, programmer, or system analyst involved in writing Internet applications using database systems, then you owe it to yourself to buy and read SQL Injection Attacks and Defense. It just may save your data!

Not sure whether this is the appropriate place to leave this comment (as I'm the technical editor/lead author on this book), but Amazon doesn't seem to have a good way for the author to comment.

This book was a combined effort of 10 folks who put a large amount of effort into the overall project. Unfortunately because of the way Syngress has listed the book (with only my name on the front as the lead author) those folks don't get the credit they deserve. This is the list of guys without whom the book would not have been anywhere near as good:

- Rodrigo Marcos Alvarez
- Dave Hartley
- Joseph Hemler
- Alexander Kornbrust
- Haroon Meer
- Gary O'Leary-Steele
- Alberto Revelli
- Marco Slaviero
- Dafydd Stuttard

It really surprises me that SQL injection is still such a ubiquitous attack vector given that it is really fairly simple to prevent. I believe that the reason for this is that many software developers just don't understand how these attacks are orchestrated by hackers in the wild, so they often tend to resort simplistic "security through obscurity" solutions such not displaying error messages, restricting the number of rows returned for queries, and so forth. With this in mind, what really makes this book shine is its deep dive into some of the more arcane techniques used in blind SQL injection, second order SQL injection, and blended attacks, such as piggybacking SQL injection onto other attack vectors such as cross site scripting. It goes well beyond the simple injection tactics that are given only cursory coverage in many other security texts and lays it all out there for developers, engineers, and anybody else who wants to really get their hands around how these attacks work, and more importantly, how to prevent them.

I use this book quite often as an authoritative reference for security awareness presentations to application development teams because it provides some of the most comprehensive coverage of the topic that I have seen. That said, if I am critical of anything in this book, it is that the author, in my opinion, finesses a bit on his treatment of prepared statements and stored procedures as mitigation strategies against SQL injection attacks. Both prepared statements (parameterized queries if you prefer) and stored procedures can be highly effective contermeasures to combat SQL injection exploits; however, if these techniques are naively implemented (as they frequently are), they can be readily subverted by a skilled attacker. A bit more detail devoted to the correct use patterns for these countermeasures would be a worthwhile addition.

Nevertheless, I still rate this a five star read because of its depth, overall accuracy, its coverage of automated SQL injection tools, and its excellent coverage of attacks against the most commonly used database products, such as Oracle, MS SQL Server, and MySQL.

...you should read this book. Whether you're a professional app hacker, or just want to learn what this all means -read the book. One of the best on the subject, period. Take it from the 'Wh1t3 Rabbit' :)

Let me preface this review by saying that I have performed and understand the subject matter fairly well. I was more interested in picking up some new tricks and techniques and also taking a look at the code review section.

On the tips and ticks need, this book delivered. What I liked about this book was how the authors explained a myriad of ways to do something. For example, uploading a file to the file system. They covered privileges needed, how likely you'd run across something like this, the different ways for the most common RDMBSs, ways that may be more likely in the future, and etc. It was this kind of information that I was hoping to find in the book.

I even picked up some new techniques I haven't heard about or thought about. The section on privilege escalation was incredibly interesting. Also, have you ever heard of second-order sql injection? It's something that was a 'duh' moment of the possibilities I may have missed in the past.

There were a couple of things I, personally, did not like about this book. They sort of beat ideas into your head. This is great when you are first learning the subject. The more you hear about the subject and different wordings about the subject makes it stick into your head. However, when you know about the technique, it gets annoying to hear the same thing getting explained over and over again. This does not deviate from my overall enjoyment of the material.

I also would have to say I was disappointed in the code review section. I believe they did a good job if you are new to code review, but a short excerpt on lexical analysis and how to create regex to search for commonly abused functions was the most it was willing to venture into this category. I certainly will not downgrade the quality of this book because I believe this section was only included to give an all encompassing look at the material.

To end on a good note, I was not expecting the quality of the reference section. If you felt there was something not covered, which I did, in the main material then you could certainly find it in the reference section. I felt that the majority of the book was aimed for those new to the subject while the reference section was like an amazing pocket guide for those who already understand the subject or, of course, have finished and understand what they just read. I was pleasantly impressed with this section.

I certainly enjoyed the material. I burned through the material rather quickly and would recommend it to anyone who's interested in learning about sql injection or willing to pick up some new material on the subject.

Justin has delivered his education and training on SQL Injection and Application Security at conferences all over the world and I encourage all to attend.
This book is two fold: It delivers ways for the professional security consultant to expand the horizon of SQLi and it teaches the methods of prevention for those who defend. There is not a better book written on this subject. His experience incorporated with that of the expertise of peers (a true "who's who" of international application security knowledge) produced material that should be understood by all resources who desire to protect a private or public application infrastructure.

This book is the only book you will ever need on SQL injection. It is the best-of-breed book, well written, full of examples and charts. The author is absolutely knowledgeable about the subject and is very adept at explaining the subtleties of this attack. The learning curve is appropriate for any pentester.

This book is an absolute must for any web application penetration tester.

Are you in need of help with regards to SQL injection? If you are, then this book is for you! Author Justin Clarke, has done an outstanding job of writing a book which aims to give the reader detailed insight into SQL injection, as being one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet today.

Clarke, begins by looking at the causes of SQL injection. In addition, the author discusses techniques for finding SQL injection issues from the perspective of the user sitting in front of his/her browser and interacting with a Web application. He then covers tips and tricks for finding SQL injection in code, from identifying where the user-controllable input can enter the application, to identifying the types of code constructs that can lead to an SQL injection exposure. Next, the author explores techniques for reading or returning data to the browser, for enumerating the database schema from the database, and for returning information out of band. Then, he looks at basics of SQL injection and blind SQL injection. The author continues by discussing hoe to access the file system to perform useful tasks such as reading data and uploading files. Next, he explores more advanced techniques in which you can use to enhance your SQL injection attacks, and to overcome obstacles that you may encounter. Then, the author covers several large areas of secure coding behavior as it relates to SQL injection. He continues by focusing on platform-level defenses that detect, mitigate, and prevent SQL injection. Finally, he provides a quick reference guide to a number of topics that should be useful for understanding SQL injection.

This most excellent book provides the reader with sufficient depth to gain an understanding of the long-established, but recently growing threat of attacks from SQL injection. Perhaps more importantly, this book includes all of the currently known information about these attacks, and significant insight from the contributing team of SQL injection experts!