Chapter 19 Further Reading: Injection Attacks

Essential Books

SQL Injection Attacks and Defense, 2nd Edition Justin Clarke-Salt. Syngress, 2012. The definitive reference on SQL injection, covering every technique from basic to advanced, across all major database platforms. Includes detailed chapters on blind injection, out-of-band techniques, and defense strategies. Required reading for anyone specializing in web application security.

The Web Application Hacker's Handbook, 2nd Edition Dafydd Stuttard and Marcus Pinto. Wiley, 2011. Chapters 9-10 provide comprehensive coverage of injection attacks in the context of overall web application testing methodology. The practical approach and real-world examples make complex techniques accessible.

Black Hat Python, 2nd Edition Justin Seitz and Tim Arnold. No Starch Press, 2021. While not injection-specific, the Python scripting techniques are directly applicable to building custom injection tools and automating blind extraction.

Online Training and Labs

PortSwigger Web Security Academy: SQL Injection https://portswigger.net/web-security/sql-injection Free, comprehensive SQL injection training with 18+ interactive labs covering every technique discussed in this chapter. Includes labs for UNION-based, blind, error-based, and out-of-band injection across multiple database types.

PortSwigger: Server-Side Template Injection https://portswigger.net/web-security/server-side-template-injection Free training and labs for SSTI, including detection methodology and exploitation across multiple template engines.

PortSwigger: OS Command Injection https://portswigger.net/web-security/os-command-injection Labs covering basic and blind command injection with multiple operator types.

OWASP Juice Shop https://owasp.org/www-project-juice-shop/ Multiple injection challenges of varying difficulty, including SQL injection, NoSQL injection, and command injection. The score board tracks progress across 100+ challenges.

SQLi-Labs (GitHub) https://github.com/Audi-1/sqli-labs A collection of 65+ SQL injection challenges with increasing difficulty. Each lab focuses on a specific technique or bypass. Ideal for systematic practice.

Tool Documentation

sqlmap Official Documentation https://github.com/sqlmapproject/sqlmap/wiki Comprehensive documentation for sqlmap including all switches, tamper scripts, and advanced features. The wiki includes practical usage examples for each database type.

sqlmap Tamper Scripts Reference https://github.com/sqlmapproject/sqlmap/tree/master/tamper Source code and descriptions for all tamper scripts. Understanding these is essential for WAF bypass during authorized testing.

Commix Documentation https://github.com/commixproject/commix/wiki Documentation for the command injection exploitation tool, including supported techniques and advanced features.

Research and Technical References

OWASP SQL Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html The definitive quick reference for SQL injection defense, covering parameterized queries, stored procedures, allowlisting, and escaping across multiple languages.

OWASP Query Parameterization Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Query_Parameterization_Cheat_Sheet.html Code examples for parameterized queries in Java, .NET, PHP, Ruby, and Python.

PortSwigger SQL Injection Cheat Sheet https://portswigger.net/web-security/sql-injection/cheat-sheet A quick reference for SQL injection syntax across MySQL, PostgreSQL, Oracle, and MSSQL. Covers string concatenation, comments, version detection, and data extraction queries.

PayloadsAllTheThings: SQL Injection https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection Community-maintained collection of SQL injection payloads, bypass techniques, and cheat sheets. Updated regularly with new techniques.

PayloadsAllTheThings: NoSQL Injection https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection Comprehensive collection of NoSQL injection payloads for MongoDB, CouchDB, and other NoSQL databases.

Case Study Sources

Heartland Payment Systems Breach Analysis Stammberger, K. "Lessons Learned from the Heartland Payment Systems Breach." SANS Institute, 2009. Detailed technical and organizational analysis of the Heartland breach, including timeline, attack methodology, and remediation lessons.

TalkTalk Breach Reports Information Commissioner's Office (ICO). "TalkTalk Monetary Penalty Notice." 2016. The official ICO report detailing the failures that led to the breach and the rationale for the fine.

HackerOne Hacker-Powered Security Reports https://www.hackerone.com/resources/reporting Annual reports with statistics on vulnerability types, bounty amounts, and industry trends. Provides data context for how injection ranks among reported vulnerabilities.

Standards

CWE-89: SQL Injection https://cwe.mitre.org/data/definitions/89.html The Common Weakness Enumeration entry for SQL injection, including detection methods, potential mitigations, and real-world examples.

CWE-78: OS Command Injection https://cwe.mitre.org/data/definitions/78.html The CWE entry for command injection with detailed classification of subtypes.

OWASP Testing Guide: Injection Testing https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/ The complete OWASP testing methodology for all injection types, including step-by-step procedures for SQL, NoSQL, LDAP, XML, and command injection testing.