Excellent presentation Paul! The TLV charts and sequencing diagrams were perfect. I also really liked the mentality of crafting payloads like you would simple stack overflows w/ NOPs or trampolines (exploitation really is art). Paul really opened a lot of eyes with this talk about how you can still achieve SQL Injection in the most impossible of scenarios. Well done 👏👏👏
Given that Azure actually exposes Postgres DBMSes to the internet ... I wonder this can be used to attack these. People claim these are ok since there is access control at the DB layer, but ...
25:16 I got some deja vu - I felt like that BSON attack had been presented before, at some conference. (We probably meta a searchable meta db that can help cross-reference all tech conference talks.)
Lol. They develop one of the most impactful security tools used for development. You should check your own presumptions if this is how you actually feel.
@@MiesvanderLippe that might well be, but besides Clean Code being an absolute bullshit cult, Bob Martin, the guy behind Clean CodeTM!!!, is a Trump supporter, rabid sexist, etc. Tech has massively drifted to the right and I won't be silent about this trash. Responsibility is a thing.
@@MissingInterval Sure! I just don't wanna have right wing weirdos in the back of my head when I'm consuming infosec content. (and on a technical level, clean code still sucks, but granted: that's probably not too relevant for this talk in particular. Though I would potentially not do business with clean code adherents on the suckiness alone)
Excellent presentation Paul! The TLV charts and sequencing diagrams were perfect. I also really liked the mentality of crafting payloads like you would simple stack overflows w/ NOPs or trampolines (exploitation really is art). Paul really opened a lot of eyes with this talk about how you can still achieve SQL Injection in the most impossible of scenarios. Well done 👏👏👏
This is amazing thanks!
Given that Azure actually exposes Postgres DBMSes to the internet ... I wonder this can be used to attack these. People claim these are ok since there is access control at the DB layer, but ...
For postgres, this is an attack on the application’s pg client, not the pg server.
25:16 I got some deja vu - I felt like that BSON attack had been presented before, at some conference. (We probably meta a searchable meta db that can help cross-reference all tech conference talks.)
I wonder if anyone is still using PHP.
26:37
ouch
Sounds interesting but I stopped watching at "home of clean code", clean code is a bad cult
Lol. They develop one of the most impactful security tools used for development. You should check your own presumptions if this is how you actually feel.
weird reason not to watch a very good talk lol
@@MiesvanderLippe that might well be, but besides Clean Code being an absolute bullshit cult, Bob Martin, the guy behind Clean CodeTM!!!, is a Trump supporter, rabid sexist, etc. Tech has massively drifted to the right and I won't be silent about this trash. Responsibility is a thing.
People you disagree with can still have great ideas.
@@MissingInterval Sure! I just don't wanna have right wing weirdos in the back of my head when I'm consuming infosec content. (and on a technical level, clean code still sucks, but granted: that's probably not too relevant for this talk in particular. Though I would potentially not do business with clean code adherents on the suckiness alone)