CONFidence - (29-30.11 2010 Prague)
Language: polski | english |cesky

Johannes Dahse

Bio: Johannes Dahse is studying IT security at the Ruhr-University in Bochum, Germany, where he also gives a practical course in Web Application Security – his main research interest. He is the developer of the tool RIPS (a static source code analyser for vulnerabilities in PHP scripts) and a co-author of the book “Secure Webapplications” by Mario Heiderich, Christian Matthies and fukami.

Topic of Presentation: SQLi filter evasion and obfuscation

Language: English

Abstract: SQL injections (SQLi) are well known for years and yet they are one of the major server-side vulnerabilities. Today, several applications have their own filters implemented to detect and prevent exploitation, others try to protect their applications by WAFs or IDS. In this talk I will give an introduction on how SQL code can be obfuscated by attackers to bypass present filters when injecting into a MySQL query. We will also see how different WAF/IDS products are prone to the presented filter evasion techniques. This talk will not cover the boring aspects of SQL injection and tries to give a new perspective on SQL code.