SQL injection — engagement methodology
The piece I have been promising the engagements team since January. The five places SQLi shows up, the structural answers, and why the WAF is not actually a defence.
HBGary Federal
There is no part of the HBGary Federal hack that should have worked. SQL injection on a custom CMS, unsalted MD5, password reuse into Google Apps administration, and an unsalted social-engineering message to a sysadmin at rootkit.com.
The mass SQL injection wave
A sustained mass SQL-injection wave through spring 2008 has compromised hundreds of thousands of websites. The Asprox botnet appears to be the dominant operator.