SQL Injection Attacks and Defense - 2009

Contributing Authors
Rodrigo Marcos Alvarez (MSc, BSc, CREST, CISSP, CNNA, OPST,
MCP) is the founder and technical director of SECFORCE. SECFORCE
is a UK-based IT security consultancy that offers vendor-independent and
impartial IT security advice to companies across all industry fields.
Rodrigo is a contributor to the OWASP project and a security researcher.
He is particularly interested in network protocol analysis via fuzzing testing.
Among other projects, he has released TAOF, a protocol agnostic GUI fuzzer,
and proxyfuzz, a TCP/UDP proxy which fuzzes on the fly. Rodrigo has
also contributed to the web security field by releasing bsishell, a python
interacting blind SQL injection shell and developing TCP socket reusing
attacking techniques.
Dave Hartley has been working in the IT security industry since 1998.
He is currently a security consultant for Activity Information Management,
based in the United Kingdom, where he is responsible for the development
and delivery of Activity’s technical auditing services.
Dave has performed a wide range of security assessments and provided
a myriad of consultancy services for clients in a number of different sectors,
including financial institutions, entertainment, media, telecommunications,
and software development companies and government organizations
worldwide. Dave is a CREST certified consultant and part of Activity’s
CESG CHECK team. He is also the author of the Bobcat SQL injection
exploitation tool.
Dave would like to express heartfelt thanks to his extremely beautiful
and understanding wife Nicole for her patience and support.
Joseph Hemler (CISSP) is a co-founder and Director of Gotham Digital
Science, an information security consulting firm that works with clients to
identify, prevent, and manage security risks. He has worked in the realm of
application security for over 9 years, and has deep experience identifying,
iv