Penetration Testing mailing list archives

RE: SQL injection

From: "Leandro Reox" <lmet5on () fibertel com ar>
Date: Fri, 10 Jun 2005 06:43:50 -0200

Good Point Todd, I think everybody here agree that the first countermeasure
for SqlInjections attack is "Secure Programming". Badcoding will be your
worst enemy at the time when "that kid insert a ' in your login form".
There's no perfect appliance for this kind of attack and maybe hours of
customizing sigs don't worth it. Most of SqlI attackers will give up after
tipyng a fews " ' 'OR 1=1-- , I say most of them, because theres a lot of
good SqlI practicioners out there.
Like Todd says "nothing is 100% secure" so wellcoded web apps + good sigs
based detections + good db diagramming + a lot of conscience makes a nice
combo.

Cheers !



-----Original Message-----
From: Todd Towles [mailto:toddtowles () brookshires com] 
Sent: Friday, June 10, 2005 3:16 AM
To: James Riden; Tim
Cc: pen-test () securityfocus com
Subject: RE: SQL injection

Well, Sig based detection is that that sig based. So I am sure that new
attacks or old attacks may be able to bypass most IDS/IPS with various
techinques. But no IDS or IPS system is perfect. No firewall or AV is
perfect. We are talking about protection - nothing is 100% secure.
Blocking the basic SQL injection attack is better than nothing at all.

-----Original Message-----
From: jriden () it029205 massey ac nz 
[mailto:jriden () it029205 massey ac nz] On Behalf Of James Riden
Sent: Thursday, June 09, 2005 10:01 PM
To: Tim
Cc: pen-test () securityfocus com
Subject: Re: SQL injection

Tim <tim-pentest () sentinelchicken org> writes:

I am sure many IPS/IDSes are great for stopping a lot of

attacks.  I

find it incredibly hard to believe that they stop all.  It is far 
better to write good code in the first place.


Definitely true.

To those people out there who recommended this or that IPS/IDS:  
Have you tested these against real attacks?


Yes, I've caught real attacks using snort with the bleeding 
rules. As you say, perhaps only the obvious ones though 
("xp_cmdshell").

--
James Riden / j.riden () massey ac nz / Systems Security 
Engineer GPG public key available at: 
http://www.massey.ac.nz/~jriden/ This post does not 
necessarily represent the views of my employer.

Current thread:

RE: SQL injection, (continued)
- - RE: SQL injection Hecber Cordova (Jun 09)
    - Exploit Repositories and Due Diligence Jeff (Jun 09)
    - RE: Exploit Repositories and Due Diligence Leandro Reox (Jun 09)
    - RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
    - RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
    - RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
  - Re: SQL injection Tim (Jun 09)
    - Re: SQL injection James Riden (Jun 09)
  - RE: SQL injection Leandro Reox (Jun 09)
- RE: SQL injection Todd Towles (Jun 09)
  - RE: SQL injection Leandro Reox (Jun 10)
    - Re: SQL injection Hernán M . Racciatti (Jun 10)
    - Re: SQL injection DokFLeed (Jun 10)
- RE: SQL injection Faisal Khan (Jun 12)
  - RE: SQL injection Faiz Ahmad Shuja (Jun 12)