More than SQL injection
When it comes to database security, there’s more to it than plain old SQL injection within a web application. There are issues in the underlying database systems themselves. One good resource is about.com, which have articles about inference (i.e. finding information by inference without the need of extra privileges) and privilege escalation. Another one is arguably from the guru of database security, David Litchfield. This site has a few links and whitepapers about different databases, though it looks more specific to Oracle. A solid one-pager can be found at governmentsecurity.org.
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
have you read the WAHH (they cover SQL injection inference and other inference attacks in-depth using Absinthe, et al) or seen the Sensepost squeeze tool yet?