WebApp Sec mailing list archives
Re: XSS, SQL injection etc - permutations of input strings
From: Jonathan Angliss <jon () netdork net>
Date: Mon, 20 Sep 2004 22:20:55 -0500
Hello Mike, Saturday, September 18, 2004, 6:15:54 PM, you wrote:
Over the past few days I've seen many posts about different ways of encoding XSS/SQL injection strings, as well as leveraging a discovered vulnerability in order to get more information about the target (other DB fields/schema).
The question I'd like to ask the list is once you know a particular input vector is vulnerable, why are people trying to push the exploit further, assuming that they are pen-testing rather than hacking the target? For the uninformed client, being able to show them that you 0wn3 their server/app once should be enough to treat *any* discovered flaw as serious enough to fix, even if it's only a JS alert box, a "or 1=1", or a "select from another table" attack.
While sometimes it seems odd to continue bashing away at certain points, consider it a good method to establish what else lies beneath. You might be able to find out a lot more, and find further weaknesses in other points of the system. Consider it like a punctured tire, simply covering the hole doesn't mean you fixed the issue, you just averted all the air escaping. To really fix the issue, you need to remove the nail, and plug it correctly. You can never know when a code change in another location might have an unsuspecting affect on the "fix" you put over that hole, or if it'll leave a new hole to a security issue you could have discovered by bashing away at the same hole that was discovered before. -- Jonathan Angliss <jon () netdork net>
Current thread:
- XSS, SQL injection etc - permutations of input strings Mike Andrews (Sep 18)
- Re: XSS, SQL injection etc - permutations of input strings Harrison Gladden (Sep 20)
- RE: XSS, SQL injection etc - permutations of input strings Mike Andrews (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Eyal Udassin (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Ben Timby (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 21)
- Re: XSS, SQL injection etc - permutations of input strings Devdas Bhagat (Sep 23)
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 27)
- Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 29)
- Re: XSS, SQL injection etc - permutations of input strings Devdas Bhagat (Sep 23)
- Re: XSS, SQL injection etc - permutations of input strings Harrison Gladden (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Jonathan Angliss (Sep 22)
- <Possible follow-ups>
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Scovetta, Michael V (Sep 22)
- RE: XSS, SQL injection etc - permutations of input strings Frank Knobbe (Sep 24)
- RE: XSS, SQL injection etc - permutations of input strings Mike Jordan (Sep 27)
- Hacking/security in main-stream media Mike Andrews (Sep 30)
- List of Movies with security emphasis (in reply to: Hacking/security in main-stream media) saphyr (Sep 30)
- Re: Hacking/security in main-stream media Andrew Sledge (Sep 30)
- Re: Hacking/security in main-stream media Jason Merriman (Sep 30)
- Re: Hacking/security in main-stream media Damon Leung (Sep 30)
- Re: Hacking/security in main-stream media Vlado Blaskov (Sep 30)
- RE: XSS, SQL injection etc - permutations of input strings Frank Knobbe (Sep 24)