WebApp Sec mailing list archives
Re: ISA Server and SQL Injection
From: Matthieu Estrade <mestrade () apache org>
Date: Thu, 17 Feb 2005 21:39:01 +0000
Jeff Robertson wrote:
I totally agree with you, but in this case, all your traffic containing possible attack will wake up all security detection system. What you speak about can be protected with a good whitelist setup with the knowledge of the forum to secure. A blacklist will always warn and block...oduct%20WHERE %20id=4 is not ok, and you shoud fire developper doing this....-----Original Message----- From: Matthieu Estrade [mailto:mestrade () apache org] Sent: Thursday, February 17, 2005 08:58 To: webappsec () securityfocus com Subject: Re: ISA Server and SQL InjectionYes sure, if you code application using in parameter some SQL query, you should read "howto do secure code for webapp".... Application mainly use value after used by the application inside a query, but the query is in the code.http://www.toto.com/test.php?product_id=4 is ok and there is NO WAY to see here some SQL Syntax.http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20prWhat if your web app is a web based forum where people discuss web security, and someone participating in a discussion about SQL Injection wants to post a message that has some SQL in it? How will the firewall know if from the real thing?
It depend how you want to secure your webapp. No setup -> blacklist with the limitation of a pattern matching protection Setup -> whitelist with all granular filter on each parameters and url.
Jeff Robertson Manager of Web Application Security Digital Insigh
Current thread:
- Re: ISA Server and SQL Injection, (continued)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Marty Block (Feb 19)
- Re: ISA Server and SQL Injection fantomas (Feb 28)
- Re: ISA Server and SQL Injection Darren Bounds (Feb 16)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)
- RE: ISA Server and SQL Injection Ofer Shezaf (Feb 21)
- RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
- Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
- Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
- storing SSNs, CCNs, password in the DB Francesco (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)
- Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)