Re: ISA Server and SQL Injection

[Matthieu Estrade <mestrade () apache org>]

Jeff Robertson wrote:

> > -----Original Message-----
> > From: Matthieu Estrade [mailto:mestrade () apache org]
> > Sent: Thursday, February 17, 2005 08:58
> > To: webappsec () securityfocus com
> > Subject: Re: ISA Server and SQL Injection
> >
> > Yes sure, if you code application using in parameter some SQL 
> > query, you 
> > should read "howto do secure code for webapp"....
> > Application mainly use value after used by the application inside a 
> > query, but the query is in the code.
> >
> > http://www.toto.com/test.php?product_id=4 is ok and there is 
> > NO WAY to 
> > see here some SQL Syntax.
> >
> > http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20pr
> >    
> oduct%20WHERE 
> %20id=4 is not ok, and you shoud fire developper doing this....
>
> What if your web app is a web based forum where people discuss web security,
> and someone participating in a discussion about SQL Injection wants to post
> a message that has some SQL in it? How will the firewall know if from the
> real thing?
>
>
>  
I totally agree with you, but in this case, all your traffic containing 
possible attack will wake up all security detection system. What you 
speak about can be protected with a good whitelist setup with the 
knowledge of the forum to secure. A blacklist will always warn and block...

It depend how you want to secure your webapp.
No setup -> blacklist with the limitation of a pattern matching protection
Setup -> whitelist with all granular filter on each parameters and url.


> Jeff Robertson
> Manager of Web Application Security
> Digital Insigh
>
>