Active subscribers – to download this issue click on the cover of the magazine on the main website or scroll down this page and click the Download button
Single issue buyers – after paying for this issue click “SQL Injection – PenTest 07/2011″ (which will show just above that text)to download your copy of the magazine
SQL Injection Pen-Testing
by Sow Ching Shiong
SQL Injection is an attack in which the attacker manipulates input parameters which directly affect an SQL statement. This usually occurs when no input sanitisation is conducted. Depending on permissions, an attacker may be able to read database contents or even write to the database. In this article, the author will show you how to perform SQL injection pen-testing using open source and free tools available for Windows and Linux.
SQL Injection: Inject Your Way to Success
by Christopher Payne
Databases are the backbone of most commercial websites on the internet today. They store the data that is delivered to website visitors (including customers, suppliers, employees, and business partners). Backend databases contain lots of juicy information that an attacker may be interested in. Here the author makes a great introduction into the art of SQL Injection.
Fuzzing for Free
by Mrityunjay Gautam
As a developer working on a product release, we tend to re-use most of the legacy code from the previous release and then work on the new features and bug-fixes only. As a QA resource, we would be using the same “conformance test suite” or the same “stress test suite” to ensure that the new builds are working as expected. In this article the author gives us the good insight into the theory of the art of fuzzing.
Fuzzing With Sulley
by Jose Selvi
Can you write a simple python script? Can you understand a network protocol and describe it using a simple object set? If so, you can find your own 0-day vulnerabilities! In this article we are going to describe how we can use Sulley Fuzzing Framework with a real vulnerable FTP Server. As it is mentioned above, the author presents you how to use the Sulley Tool.
Fuzzing With WebScarab
by Sagar Chandrashekar
In order to follow along with the fuzzing exercises in this article, you will need a fuzzer and fuzzing target. WebScarab will be our fuzzer and WebGoat web application is our target. WebScarab and WebGoat can be installed on both Linux and Windows machines. WebScarab is a framework maintained by OWASP. It helps security engineers, developers to identify vulnerabilities and bugs in web applications. It is written in Java, and is thus portable to many platforms. The author focuses on describing how does the WebScarab Tool work like.
Introduction to exploit automation with Pmcma, Part II
by Jonathan Brossard
This year a tool called Pmcma (Post Memory Corruption Memory Analysis) was released at the Blackhat US security conference. The following article is an introduction to Pmcma. The second part of the article describes pmcma.c implementation, focusing on attacking function pointers, simulating arbitrary reads, detecting unaligned memory accesses and finally automating analysis and exploitation scenarios. The author made a serious efforts to provide you all the details concerning this tool, that you might need.
Maximizing Value in Penetration Testing
by Ed Skoudis
The penetration testing business faces a great danger as more and more people jump into the field offering very low-value penetration tests that are little better than an automated vulnerability scan. In this article, we’ll discuss how to conduct your tests and write up results so that they can provide significant business value to the target organization. The author will surely convince you that the quality of your services is what really matters in this business.
Interview with Dean Bushmiller
by Aby Rao
Dean currently consults on information assurance and operational security. Proving insecurity by penetration testing is a natural part of consulting. He focuses on converting the business philosophy of „security is an obstacle” to „security is a money maker”. He has served on 6 beta testing teams. He is the subject matter expert on the 10 domains of the CISSP official curriculum. In this interview Aby talks with Dean about his career, courses he’s leading and his statement about today’s security business condition.
Comments are closed.