One More Day to Get a MacBook Air, Surface Pro 7, or $350 Off with OnDemand Training

Pen Test Berlin 2015

Berlin, Germany | Mon, Jun 22 - Sat, Jun 27, 2015
This event is over,
but there are more training opportunities.

Developer's disappointed expectations manifested in poor code

  • Some examples from plain vanilla SQL injection flaws to time based blindSQL injections attacks and exploitable HQL (Hibernate) injections dueto the bad usage of a good O/R mapper.
  • Ralf Reinhardt
  • Tuesday, June 23rd, 7:00pm - 8:00pm

SQL injections seems to be an eternal pain in web applications, web services or idiosyncratic rich clients since they were first discussed at the end of the 90s. Assuming that your data, your information, your knowledge are your core assets, your intellectual property, your trade secrets the impact of SQLI is very often fatal.

It's a history of 17 years of disappointment: The stupid application user simply does not behave as the clever software developer thought he or she should do. In the meantime his boss meanders with phrases like time to market, milestones, deadline or going live. Form follows function is quite nice for buildings, but absolutely not sufficient for hacking proof products:

The disappointment derives from irregular user activities, which can be performed easily by anyone just by typing in some data into an input field. Due to missing or inadequate input validation this data becomes command. Together with old school duct-tape style query concatenation failure is inevitable: The genuine query (as expected by the developer) is altered into a malicious one (as manipulated by the attacker) before hitting the interpreter and therefore finally hitting the database. It is very common that several developers are working on one project, so the guy handling the user input from the client or browser is probably not necessarily the same who is handling Persistence in the database. They both might think: Didn't YOU handle this?

The good news is: Mitigation is (usually) very simple. Once a developer or even better, also the project manager - is aware what really can (and sooner or later will) happen, he or she might start looking beyond his or her nose and hopefully stop to stubbornly cast functional use cases into simple source code. A lack of security is always a quality issue. Knowledge helps in prevention. This talk tries to give some technical insights as described in the title.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
Monday, June 22
Session Speaker Time Type
PowerShell for Pentesters James Shewmaker Monday, June 22nd, 7:30pm - 8:30pm SANS@Night
Tuesday, June 23
Session Speaker Time Type
Bypassing HTTP Strict Transport Security Jose Selvi Tuesday, June 23rd, 6:00pm - 7:00pm SANS@Night
Developer's disappointed expectations manifested in poor code Ralf Reinhardt Tuesday, June 23rd, 7:00pm - 8:00pm SANS@Night
Thursday, June 25
Session Speaker Time Type
Playing with SCADA's Modbus Protocol Justin Searle Thursday, June 25th, 6:00pm - 7:00pm SANS@Night
Hacking Survival: So, you want to compute post-apocalypse? Larry @haxorthematrix Pesce Thursday, June 25th, 7:00pm - 8:00pm SANS@Night
Friday, June 26
Session Speaker Time Type
A History of ATM Violence - From blowing up safes over jackpotting to all-round malware Erik Van Buggenhout Friday, June 26th, 6:00pm - 7:00pm SANS@Night