Ettore Galluccio - SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks

Practical techniques to secure old vulnerabilities against modern attacks

Ettore Galluccio

Edoardo Caselli

Gabriele Lombari

BIRMINGHAMMUMBAI

Copyright 2020 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Amey Verangaonkar

Acquisition Editor: Meeta Rajani

Senior Editor: Arun Nadar

Content Development Editor: Romy Dias

Technical Editor: Sarvesh Jaywant

Copy Editor: Safis Editing

Project Coordinator: Neil Dmello

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Jyoti Chauhan

First published: July 2020

Production reference: 1140720

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-83921-564-3

www.packt.com

To my lovely parents who made me who I am with their support and love. Thank you.

Ettore Galluccio

To my late friend, Emanuele. The brightest lights always leave their mark.

Edoardo Caselli

To my family and my lovely girlfriend, Alessia; thank you for always supporting and encouraging me to step out of my comfort zone and take on new challenges.

Gabriele Lombari

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

• Spend less time learning and more time coding with practical eBooks and videos from over 4,000 industry professionals
• Improve your learning with Skill Plans built especially for you
• Get a free eBook or video every month
• Fully searchable for easy access to vital information
• Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and, as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Ettore Galluccio has 20+ years' experience in secure system design and cyber risk management and possesses wide-ranging expertise in the defense industry, with a focus on leading high-impact cyber transformation and critical infrastructure programs. Ettore has headed up cybersecurity teams for numerous companies, working on a variety of services, including threat management, secure system life cycle design and implementation, and common criteria certification and cybersecurity program management. Ettore has also directed the EY Cybersecurity Master in collaboration with CINI (National Interuniversity Consortium for Computer Science) and holds various international certifications in information security. His true passion is working on ethical hacking and attack models.

I want to thank my lovely wife, Daniela, and my children: without your support and prayers, I wouldn't have been able to complete this book.

Edoardo Caselli is a security enthusiast in Rome, Italy. Ever since his childhood, he has always been interested in information security in all of its aspects, ranging from penetration testing to computer forensics. Edoardo works as a security engineer, putting into practice most aspects in the world of information security, both from a technical and a strategic perspective. He is a master's graduate in computer science engineering, with a focus on cybersecurity, and wrote his thesis on representation models for vulnerabilities in computer networks. Edoardo is also a supporter of the Electronic Frontier Foundation, which advocates free speech and civil rights on online platforms and on the internet.

I wish to thank all those people who believed in me, both during my academic and professional years. From my parents to my friends and colleagues, near and far: you all had a part in making me who I am now. Special thanks to the love of my life, Sofia, my true inspiration.

Gabriele Lombari is a cybersecurity professional and enthusiast. During his professional career, he has had the opportunity to participate in numerous projects involving different aspects, concerning both strategic and technical issues, with a particular focus on the power and utilities industry. The activities he has made a contribution to have largely involved application security, architecture security, and infrastructure security. He graduated cum laude in computer science. During his free time, he is passionate about technology, photography, and loves to consolidate his knowledge of topics related to security issues.

Thanks to my senior manager, Ettore, for giving me the opportunity and freedom to explore and innovate and to be a good counselor and friend. Thanks to Fausto, Gianluca, and Carmela for giving me the opportunity to grow professionally and personally and for being good friends. Thanks to my friends of a lifetime, Michele and Antonio, for always being there. Thanks to Giacomo and Edoardo for being good colleagues and friends.

Osanda Malith Jayathissa is a security researcher who's currently spending time in red teaming. He is passionate about reverse engineering, malware analysis, and Windows internals. He started his infosec journey with a single quote (SQL injection) at the age of 12. He has provided manual penetration testing for clients across many sectors, including banking, insurance, media, entertainment, healthcare, and finance in the UK. He currently works as an IT security consultant for a reputable company in the UK.

He has been acknowledged by many organizations for reporting vulnerabilities. These include Microsoft, Facebook, Apple, AT&T, Oracle, Adobe, Nokia, Twitter, Sony, eBay, SoundCloud, RedHat, GitHub, Huawei, Dell, Samsung, and Intel. He currently holds OSCP, OSCE, OSWP, eCPPTX, eCRE, eCXD, eCPPT Gold, eWPTX, eWPT, CREST CRT Pen, and CRTP certifications.