Week 11 Summary

Reading: Full SQL Injection Tutorial

SQL injection is a technique that uses code injection via malicious statements and commands to attack applications with the goal to dump the database contents to the attacker. The tutorial goes into lengths explaining each line of code, with expected results and variations. While it involves a fair amount of guessing, the article also provided the most common names of tables and columns.

A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete) and issue commands to the operating system.

Mitigation options include Parameterized statements, escaping, pattern check, hexadecimal conversion and limiting permissions on the database. Parameterized statements treats the injection as a strange parameter value and does nothing to it.

In The News:

$1 million bounty for hacking iPhone has been claimed

Apple devices are widely considered extremely secure and hard to hack. But as the internet adage says, everything can be hacked—even the new iPhone…..the challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad , allowing the attacker to install any app he or she wants with full privileges. The initial exploit, according to the terms of the challenge, had to come through Safari, Chrome, or a text or multimedia message.