Thursday, December 31, 2009

SQL Injection Resources

(from Robert Portvliet)

Here's list of some (SQL Injection) resources I had put together, a good portion of it is probably covered in the Phoenix OWASP list, but here it is anyway:

Vulnerable WebApps:

GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

MOTH - http://www.bonsai-sec.com/en/research/moth.php

Damn Vulnerable Web App - http://www.dvwa.co.uk/

Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm

Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm

Videos & webcasts:

OWASP Appsec NYC 2008 -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

Caught in the web series - http://www.coresecurity.com/content/ondemand-caught

Invasion of the browser snatchers series -
http://www.coresecurity.com/content/on-demand-snatchers

Advanced SQL injection -
http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection

Websec 101 - http://www.foundstone.com/us/websec101.asp

Hackme Bank & Hackme Travel videos-
http://www.foundstone.com/us/resources-videos.asp

Tools

Samurai Web Testing Framework (Live CD which contains most tools
needed to perform web assesment) - http://samurai.inguardians.com

Methodologies

OWASP Testing Guide -
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf

Cheat Sheets

SQL Injection Cheat Sheet -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet

SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/

SQL Injection Cheat Sheets sorted by DB -
http://pentestmonkey.net/index.php?option=com_content&task=category&sectionid=9&id=24&Itemid=1

XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html

Web App Assesment Cheat Sheet -
http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf

Books:

Web Application Hackers Handbook - http://portswigger.net/wahh/

Whitepapers & slides-

OWASP article on Web application penetration testing -
http://www.owasp.org/index.php/Web_Application_Penetration_Testing

Advanced SQL injection -
http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

Best of web application penetration testing tools -
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf

(The next two papers are a little old, but still quite useful)

Advanced SQL Injection in SQL Server -
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

(More) Advanced SQL Injection in SQL server -
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf

1 comment:

Jim Manico said...

An even more detailed version of this list can be found at http://www.owasp.org/index.php/Phoenix/Tools