Yoo. Welcome to Issue #06 of Navigating Security.
šQuote of the week:
SQL injection is one of the least sophisticated yet most dangerous threats to web application security ~ Kevin Mitnick
What To Expect š«”
Finding and exploiting SQLi using manual methods and automated toolingš
A Cloud Security Engineer roadmap to get you from zero to hero āļø
A comprehensive research playbook for Android security š±
ā±ļø Incase you missed the previous issue, here you go:
This Weekās YouTube Video:
Is this love or is this SQL Injection?
ā ļø Not sponsored
One of the best SQLi writeups Iāve seen in a minuteš
I havenāt found SQLi in a pentest or during the little bug bounty hunting that I do, but apparently, some people do. This write-up goes into detail about how you could potentially exploit SQLi using both manual methods and automated tooling. Hereās the TLDR:
Identify SQL injection vulnerability using error-based SQLi technique.
Use SQLMap for automatic detection, leveraging time-based SQLi to confirm.
Overcome length filter via manual enumeration by focusing on metadata extraction.
Use shorter query payloads, nested queries, and built-in functions for efficiency.
Achieve database and table name extraction by bypassing the web application's imposed character limit restrictions - shorter payloads.
Cloud security roadmap š£ļø
Pwnedlabs released a guide to get into cloud security a while ago. This guide covers some of the following areas:
Linux and Containers
Cloud Security Principles
Hacker Mindset
Automation and Scripting 06
Data Encryption, Keys, and Storage 09
https://pwnedlabs.io/roadmaps/cloud-security-engineer/roadmap.pdf
Android Security Research Playbook š±
Darkwolf Solutions also recently released something; a playbook for Android research. I havenāt looked at the entire thing, but best believe I will be. I skimmed through the table of contents and bookmarked the thing immediately!
https://github.com/DarkWolf-Labs/playbooks/blob/main/Android-Security-Research-Playbook.pdf
Suggestions
Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.