WebApp Sec mailing list archives

RE: aspx applictions SQL Injection

From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Wed, 13 Oct 2004 10:42:12 +0100

Hi Ahmed,

First of all, your are probably 'IT Audit Manager' and not 'IT Audit Manger' as your email saids at the very end :-)

Second, your question ... Well, I posted myself a thread relating to your trouble on this list a couple of days ago
(BTW, the thread seems still open): "ASP vs. ASP.NET". And the reply was was I was thinking:
- You can do secure apps. and crap apps. with asp and asp.net ...
- asp.net is easier to develop with than asp .... but harder to learn :).

It's then so stupid to tell that using Perl/asp/asp.net/whatever language is THE solution: every language can be THE
solution, if people using it are good enough to develop it in a good manner. But asp.net seems easier to secure than
asp, that's sound OK.

So the IT people you are talking do not seem very skilled to me, and maybe lazy as well.

Maybe the best way to convince them is to make a compil of docs written by some gurus telling what I said below ...
http://www.google.com/search?hl=fr&q=sql+injection+asp.net&lr= seems to me a good starting point :=)

HTH !

-----Message d'origine-----
De : Mohamed Ali [mailto:rxmohamed () hotmail com]
Envoyé : mardi 12 octobre 2004 09:23
À : webappsec () securityfocus com
Objet : aspx applictions SQL Injection

Hi all,

I did a full pen-test on my client's web application and almost I can get all data and data dictionary information I
need through exploiting SQL injection vulnerabilities they have in many dynamic pages.

The question is when I discussed these issues with IT people they recommend
not to solve any of them but just converting to .Net technology I'm not
familiar with Net tech. but this recommendation sounds weird to me IS THERE ANY WAY TO PROVE THAT THEIR RECOMMENDATION
IS NOT ENOUGH TO PREVERT UNAUTHRIZED ACCESS THROUGH SQL INJECTION (their platform IIS ,SQL Server and Oracle )

Any suggestions would be appreciated.

Thanks

Ahmed Rashad
IT Audit Manger
Experts.ae

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/

Current thread:

aspx applictions SQL Injection Mohamed Ali (Oct 12)
- Re: aspx applictions SQL Injection Adam Shostack (Oct 12)
- RE: aspx applictions SQL Injection Anil John (Oct 12)
- RE: (@) aspx applictions SQL Injection Don Tuer (Oct 15)
- <Possible follow-ups>
- RE: aspx applictions SQL Injection Michael Silk (Oct 12)
- RE: aspx applictions SQL Injection Bénoni MARTIN (Oct 14)