A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Shawn Asmus, Kristov Widak: “Mirror Mirror – Reflected PDF Attacks using SQL Injection” (BSides Las Vegas 2012) (Hacking Illustrated Series InfoSec Tutorial Videos)

Shawn Asmus, Kristov Widak: “Mirror Mirror – Reflected PDF Attacks using SQL Injection”

SQL Injection vulnerabilities are old-hat, but there are many web applications in production that are still prone to this flaw. One subclass of these are websites that serve PDF documents from dynamically-built URLs. We demonstrate that, in certain cases, trusted websites prone to SQLi that also deliver binary file content such as PDFs can be used surreptitiously for stealthy data extraction and obfuscated malware delivery, even when database security is otherwise configured properly. The talk is based on findings from a real-world application penetration test.
 

Download:
http://archive.org/download/BsidesLasVegas2012/2.1.5ShawnAsmusKristovWidakMirrorMirrorReflectedPdfAttacksUsingSqlInjection.avi

Back to BSides Las Vegas 2012 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast