SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

Learn to exploit vulnerable database applications using SQL injection tools and techniques, while understanding how to effectively prevent attacks

Key Features

• Understand SQL injection and its effects on websites and other systems
• Get hands-on with SQL injection using both manual and automated tools
• Explore practical tips for various attack and defense strategies relating to SQL injection

Book Description

SQL injection (SQLi) is probably the most infamous attack that can be unleashed against applications on the internet. SQL Injection Strategies is an end-to-end guide for beginners looking to learn how to perform SQL injection and test the security of web applications, websites, or databases, using both manual and automated techniques. The book serves as both a theoretical and practical guide to take you through the important aspects of SQL injection, both from an attack and a defense perspective.

You'll start with a thorough introduction to SQL injection and its impact on websites and systems. Later, the book features steps to configure a virtual environment, so you can try SQL injection techniques safely on your own computer. These tests can be performed not only on web applications but also on web services and mobile applications that can be used for managing IoT environments. Tools such as sqlmap and others are then covered, helping you understand how to use them effectively to perform SQL injection attacks.

By the end of this book, you will be well-versed with SQL injection, from both the attack and defense perspective.

What you will learn

• Focus on how to defend against SQL injection attacks
• Understand web application security
• Get up and running with a variety of SQL injection concepts
• Become well-versed with different SQL injection scenarios
• Discover SQL injection manual attack techniques
• Delve into SQL injection automated techniques

Who this book is for

This book is ideal for penetration testers, ethical hackers, or anyone who wants to learn about SQL injection and the various attack and defense strategies against this web security vulnerability. No prior knowledge of SQL injection is needed to get started with this book.

學習使用SQL注入工具和技術來利用易受攻擊的資料庫應用程式，同時了解如何有效地防止攻擊。

主要特點：

- 了解SQL注入及其對網站和其他系統的影響。
- 使用手動和自動化工具進行SQL注入的實踐。
- 探索與SQL注入相關的各種攻擊和防禦策略的實用技巧。

書籍描述：

SQL注入（SQLi）可能是針對互聯網應用程式最臭名昭著的攻擊。《SQL注入策略》是一本面向初學者的全面指南，旨在教授如何進行SQL注入並測試網絡應用程式、網站或資料庫的安全性，使用手動和自動化技術。本書既是一本理論指南，也是一本實踐指南，從攻擊和防禦的角度帶領讀者深入了解SQL注入的重要方面。

您將從對SQL注入及其對網站和系統的影響進行全面介紹開始。隨後，本書介紹了配置虛擬環境的步驟，以便您可以在自己的計算機上安全地嘗試SQL注入技術。這些測試不僅可以在網絡應用程式上進行，還可以在用於管理物聯網環境的網絡服務和移動應用程式上進行。然後介紹了sqlmap等工具，幫助您了解如何有效地使用它們進行SQL注入攻擊。

通過閱讀本書，您將從攻擊和防禦的角度全面了解SQL注入。

您將學到的內容：

- 重點關注如何防禦SQL注入攻擊。
- 了解網絡應用程式安全性。
- 熟悉各種SQL注入概念。
- 熟悉不同的SQL注入場景。
- 探索SQL注入手動攻擊技術。
- 深入研究SQL注入自動化技術。

本書適合滲透測試人員、道德黑客或任何想要了解SQL注入及其對策和防禦策略的網絡安全漏洞的人。閱讀本書無需事先了解SQL注入。

Ettore Galluccio has 20+ years' experience in secure system design and cyber risk management and possesses wide-ranging expertise in the defense industry, with a focus on leading high-impact cyber transformation and critical infrastructure programs. Ettore has headed up cybersecurity teams for numerous companies, working on a variety of services, including threat management, secure system life cycle design and implementation, and common criteria certification and cybersecurity program management. Ettore has also directed the EY Cybersecurity Master in collaboration with CINI (National Interuniversity Consortium for Computer Science) and holds various international certifications in information security. His true passion is working on ethical hacking and attack models.

Edoardo Caselli is a security enthusiast in Rome, Italy. Ever since his childhood, he has always been interested in information security in all of its aspects, ranging from penetration testing to computer forensics. Edoardo works as a security engineer, putting into practice most aspects in the world of information security, both from a technical and a strategic perspective. He is a master's graduate in computer science engineering, with a focus on cybersecurity, and wrote his thesis on representation models for vulnerabilities in computer networks. Edoardo is also a supporter of the Electronic Frontier Foundation, which advocates free speech and civil rights on online platforms and on the internet.

Gabriele Lombari is a cybersecurity professional and enthusiast. During his professional career, he has had the opportunity to participate in numerous projects involving different aspects, concerning both strategic and technical issues, with a particular focus on the power and utilities industry. The activities he has made a contribution to have largely involved application security, architecture security, and infrastructure security. He graduated cum laude in computer science. During his free time, he is passionate about technology, photography, and loves to consolidate his knowledge of topics related to security issues.

Ettore Galluccio在安全系統設計和網絡風險管理方面擁有20多年的經驗，並在國防工業領域擁有廣泛的專業知識，專注於領導高影響力的網絡轉型和關鍵基礎設施項目。Ettore曾經為多家公司領導過網絡安全團隊，從事各種服務，包括威脅管理、安全系統生命周期設計和實施，以及通用標準認證和網絡安全計劃管理。Ettore還與CINI（國家大學間計算機科學聯合會）合作指導了EY網絡安全碩士課程，並擁有多個國際信息安全認證。他真正的熱情是從事道德黑客和攻擊模型的工作。

Edoardo Caselli是一位位於羅馬的安全愛好者。從小時候開始，他一直對信息安全的各個方面感興趣，從滲透測試到計算機取證。Edoardo作為一名安全工程師，從技術和戰略的角度實踐了信息安全領域的大部分方面。他是計算機科學工程的碩士畢業生，專攻網絡安全，並在他的論文中探討了計算機網絡中漏洞的表示模型。Edoardo還支持電子前線基金會，該基金會倡導在線平台和互聯網上的言論自由和公民權利。

Gabriele Lombari是一位熱愛網絡安全的專業人士。在他的職業生涯中，他有機會參與許多項目，涉及不同方面的問題，特別關注電力和公用事業行業。他參與的活動主要涉及應用安全、架構安全和基礎設施安全。他以優異成績畢業於計算機科學專業。在空閒時間，他熱衷於科技、攝影，並喜歡加強自己對安全問題相關主題的知識。

Table of Contents

1. Structured Query Language for SQL Injection
2. Manipulating SQL – Exploiting SQL Injection
3. Setting Up the Environment
4. Attacking Web, Mobile, and IoT Applications
5. Preventing SQL Injection with Defensive Solutions
6. Putting It All Together

目錄

1. SQL注入的結構化查詢語言


2. 操作SQL - 利用SQL注入


3. 環境設置


4. 攻擊網頁、行動應用和物聯網應用


5. 使用防禦性解決方案預防SQL注入


6. 綜合應用