Full Disclosure mailing list archives
Re: EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)
From: Sumit Siddharth <sumit.siddharth () gmail com>
Date: Thu, 2 Apr 2009 07:57:24 +0100
HI Drago, i didn't get a respose for my earlier mails. I would like to submit my talk "Recent Advancements in SQL Injection Injection Exploitation Technique". I gave this talk earlier at OWASP Appsec Au 2009, where it was very well received. The talk has a number of demos which makes it very enjoyable. Lemme know if you wish to include this. I am based in London.Here is the full agenda: Abstract This talk will cover different aspects of SQL Injection techniques and will highlight why every SQL Injection is unique. Starting with the very basics the talk will get more and more complex and will discuss exploiting SQL injections which seem to be un-exploitable. Numerous examples will be presented when the SQL Injection vulnerability will go undetected even by leading scanning software costing $$. A very common vulnerability will be shown along with a google dork which will return several "top" websites vulnerable. Further, a new technique of exploiting SQL Injection in Oracle to hack internal networks will be discussed. The Talk will also discuss a number of SQL injection tools and will prove why tools can still not replace a human pen tester. Outline:- *What is SQL Injections (yawn...) *Type Of SQL Injections (yawn...) *Identifying SQL injections (Identification.......time to wake up..) *xp_cmdshell is disabled, wtf....(exploitation) *whats xp_cmdshell alternative on mysql and oracle..(Exploitation) *Blind SQL Injections (exploitation/identification) *Deep Blind Injection (exploitation/identification) *Time Delay Functions & beyond (exploitation) * UTF7 encoding, magic quotes etc. *Avoiding Time Delay Functions (exploitation) *Convert Time Dealy to blind Injections (Exploitation) * Injection in order by,group by and limit clause (Exploitation .&.Surprise!!) *Out Of Band Channels (Exploitation) *Using Oracle's SQL Injection(UTL_HTTP) to own internal SQL server ( Exploitation) *Exploiting Internal hidden networks (Exploitation) * Can your tool detect these Why should you include this talk:- 1. As more and more injection tools are available in the market, this talk will help the audience choose the right tool for the right injection. 2. The oracle's utl_http method to sploit internal networks is cutting edge and no-one has ever talked about it, in the context i will talk. 3. Its fun, everyone loves sql injection, and its not a talk, its all demo and people will love to see the oracle sql injection returning a shell from a ms-sql server. About me:- I graduated from IIT Kanpur in 2005, and after working for NII Consulting for about a year i have shifted to U.K, where i work for Portcullis Computer Security. I have been a speaker at many conferences and my articles and advisories are available on various security websites.I also own the website www.notsosecure.com . /* I will probably rewrite the bio later */ Thanks Sid On Wed, Apr 1, 2009 at 10:29 PM, Dragos Ruiu <dr () kyx net> wrote:
Call For Papers
The EUSecWest 2009 CFP is now open.
Deadline is April 7th, 2009.
EUSecWest CALL FOR PAPERS
LONDON, U.K. -- The third annual EUSecWest applied
technical security conference - where the eminent figures
in the international security industry will get together
share best practices and technology - will be held in
downtown London at the Sound Club in Leicester Square
on May 27/28, 2009. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world
security experience will be presented in a series of
informative tutorials.
The EUSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from
informative tutorials on key developments in security
technology, and collaborate and socialize with their peers
in one of the world's most most important technology
hubs and scenic cities. The timing of the conference
allows international travelers to travel to Berlin for
FX's Ph-Neutral on the weekend, and Rennes the
following week for SSTIC.
We would like to announce the opportunity to submit
papers, and/or lightning talk proposals for selection by
the EUSecWest technical review committee. This year we
will be doing one hour talks, and some shorter talk
sessions.
Please make your paper proposal submissions before
April 7th, 2009.
Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The
conference is responsible for travel and accommodations for
the speaker (one speaker airfare and one room). If you
have a proposal for a tutorial session then please email
a synopsis of the material and your biography, papers
and, speaking background to secwest09 [at] eusecwest.com .
Only slides will be needed for the paper deadline, full text
does not have to be submitted - but will be accepted if
available.
The EUSecWest 2009 conference consists of tutorials on
technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security
work: security product vendors, programmers, security
officers, and network administrators. We give preference
to technical details and new education for a technical
audience.
The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while
educating and highlighting advancements in security
products and techniques. The focus is on innovation,
tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed
up by a technical presenter - either giving a valuable
tutorial and best practices instruction or detailing
significant new technology in the products.
Paper proposals should consist of the following
information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one
paragraph description.
6. Reason why this material is innovative or significant
or an important tutorial.
7. Optionally, any samples of prepared material or
outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences
where this material has been or will be
published/submitted.
Please include the plain text version of this information
in your email as well as any file, pdf, sxw, ppt, or html
attachments.
Please forward the above information to secwest09 [at]
eusecwest.com to be considered for placement on the
speaker roster, or have your lightning talk scheduled. If
you contact anyone else at our organization please ensure
you also cc the submission address with your proposal or
it may be omitted from the review process.
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-- Sumit Siddharth
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009) Dragos Ruiu (Apr 01)
- Re: EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009) Sumit Siddharth (Apr 02)