My technical team has been training some new engineers and have been focusing on SQL injections for the last couple of days. They wanted me to share some great resources that they have found and have been told about to help with learning the basics of SQL syntax and such. They are currently working on compiling a set of vulnerable platforms and system images to create a deep lab environment with many examples and test scenarios in which to sharpen their skills and test new techniques and defenses.
The first site that they like is SQLZoo.Net which is a gentle online introduction to SQL. It is perfect for those who took a SQL course long ago, or who is in need of the basics. It is a quick refresher and instructor of SQL syntax, processes and command basics. This basic education mechanism lays the ground work for them to understand SQL queries and reverse engineer the instructions that are in place as they perform SQL injections. (Thanks to @tnicholson for the pointer to this site!)
Second, they have found the book Hacking Exposed: Web Applications Second Edition to be very helpful. The explanations about, and the examples of, SQL injections really helped them “get it”. Once they walked through this, side by side, with members of our penetration testing team, they really made huge strides and were able to immediately employ the examples in the lab. Thanks to the authors for their great work on this book. The entire Hacking Exposed series is simply fantastic for training up and coming security engineers!
Lastly, with special thanks to OWASP, the team found the use of the WebGoat tool to be amazing. This is an interactive web mechanism for stepping through a variety of basic attack patterns. While not complete, in and of itself, for real application penetration testing, it is a great educational tool and makes for great training examples. Our team spent a good deal of time learning to communicate and demonstrate the issues in WebGoat to a mock set of upper management folks who were role playing their parts. Our team members must be able to clearly, concisely and expertly communicate technical issues to non-technical folks, so this makes a great platform for training.
Thanks to all who helped by suggesting resources and thanks to the new techs for keeping their concentration so high. Our experienced engineers did a great job of bringing the new team members to the first floor, now they are showing them how to keep growing for the top. Great work!
If you would like to hear more about SQL injection, application security testing or would like to hear more about creating training/labs for SQL, please drop us a line.
Thanks for reading and I hope this gives you a pointer in the right direction to learn more about the basics of SQL injections!