Re: XSS, SQL injection etc - permutations of input strings

[Jonathan Angliss <jon () netdork net>]

Hello Mike,

Saturday, September 18, 2004, 6:15:54 PM, you wrote:

> Over the past few days I've seen many posts about different ways of encoding
> XSS/SQL injection strings, as well as leveraging a discovered vulnerability
> in order to get more information about the target (other DB fields/schema).

> The question I'd like to ask the list is once you know a particular input
> vector is vulnerable, why are people trying to push the exploit further,
> assuming that they are pen-testing rather than hacking the target?  For the
> uninformed client, being able to show them that you 0wn3 their server/app
> once should be enough to treat *any* discovered flaw as serious enough to
> fix, even if it's only a JS alert box, a "or 1=1", or a "select from another
> table" attack.

While sometimes it seems odd to continue bashing away at certain
points, consider it a good method to establish what else lies beneath.
You might be able to find out a lot more, and find further weaknesses
in other points of the system. Consider it like a punctured tire,
simply covering the hole doesn't mean you fixed the issue, you just
averted all the air escaping. To really fix the issue, you need to
remove the nail, and plug it correctly. You can never know when a code
change in another location might have an unsuspecting affect on the
"fix" you put over that hole, or if it'll leave a new hole to a
security issue you could have discovered by bashing away at the same
hole that was discovered before.

-- 
Jonathan Angliss
<jon () netdork net>