Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/23/2010
03:31 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Core Security Expert Details Advanced SQL Injection Testing

Leading penetration testing specialist to demonstrate methods that boost accuracy of automated SQL injection assessment

VANCOUVER, B.C., CANADA " March. 23, 2010 - Core Security Technologies, provider of CORE IMPACT Pro, the most comprehensive product for proactive enterprise security testing, today announced that one of its CoreLabs researchers will serve as a featured presenter at the CanSecWest Applied Security Conference 2010 being held at the Sheraton Wall Centre March 24-26.

At the conference, CoreLabs Researcher Fernando Federico Russ will demonstrate cutting-edge web application assessment techniques that highlight methods for automated identification and exploitation of SQL injection vulnerabilities.

Russ will specifically address improvement of the automated SQL injection vulnerability assessment process to eliminate false positives and to automatically generate exploit code to confirm problems. The presentation will demonstrate the use of black-box testing techniques for finding and exploiting SQL injection flaws that provide detailed analysis of the types of behaviors that hackers may be able to carry out once they have compromised any given vulnerabilities. The expert, whose responsibilities include conducting vulnerability research and creating new testing capabilities to be utilized in Core Security's automated testing solutions, will also examine common difficulties that are incurred when trying to expose SQL injection vulnerabilities, and methods for employing black-box interaction to automatically construct related exploits. The presentation is based on work conducted and submitted by Russ in cooperation with Core Specialist Researcher Sebastian Cufre. "While SQL injection is an exploitation method that has been around for quite some time, it remains extremely relevant to security organizations worldwide as real-world attackers continue to carry out widespread campaigns that use the technique effectively to compromise systems and gain access to protected data," said Russ. "By creating new assessment techniques that use automation to find and exploit SQL injection flaws more efficiently we can help organizations locate and address critical vulnerabilities faster." What: "Automated SQL Ownage Techniques" When: Wednesday, March 24, 2010; 3:30-4:30p.m. ET Where: CanSecWest 2010, Sheraton Wall Centre, Vancouver, B.C. Who: Fernando Federico Russ, CoreLabs Researcher

As the focus on web applications among advanced attackers continues to increase and SQL injection remains one of the primary methods used by cybercriminals to compromise applications and gain access to protected data, it is critical that organizations find better ways to assess their exposure to the involved vulnerabilities. Please join us for this extremely timely, informative presentation. Core Security feeds the intelligence garnered via the work of its CoreLabs research experts and SCS consultants directly into its CORE IMPACT family of automated penetration testing solutions to ensure that organizations can proactively determine their exposure to such widely available vulnerabilities. For more information about the presentation or to schedule meetings with Core Security's experts at CanSecWest 2010 please contact Tim Whitman or Lauren O'Leary at 781-684-0770 or via email at: [email protected]

About Core Security Technologies Core Security Technologies provides IT security executives with comprehensive security testing and measurement of their IT assets by adding real-world actionable intelligence and verification to their IT security management efforts. Our software products build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.

Contacts: Tim Whitman or Lauren O'Leary Schwartz Communications 781 684-0770 [email protected]

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.