WebApp Sec mailing list archives
RE: [WEB SECURITY] Re: SQL In the Request
From: "Erez Metula" <erezmetula () 2bsecure co il>
Date: Thu, 5 Oct 2006 19:00:46 +0200
Just to add another dumb example from real life, I did an application assessment a couple of months ago that had a page like this: http://AppName/QueryDB.jsp?sql=sql_query it can't be worse than that.. ________________________________ Erez Metula, CISSP Application Security Department Manager Security Software Engineer E-Mail: erezmetula () 2bsecure co il Mobile: 972-54-2108830 Office: 972-39007530 -----Original Message----- From: Ory Segal [mailto:osegal () watchfire com] Sent: Thursday, October 05, 2006 6:38 PM To: bryan allott; webappsec () securityfocus com; websecurity () webappsec org Subject: RE: [WEB SECURITY] Re: SQL In the Request Hi, I actually saw this kind of blasphemy several years ago -- an application that builds a SQL query using client-side JavaScript. The complete SQL query was then passed as a hidden parameter to the web application... Go figure... -Ory Segal http://www.watchfire.com -----Original Message----- From: bryan allott [mailto:homegrown () bryanallott net] Sent: Thursday, October 05, 2006 5:35 PM To: webappsec () securityfocus com; websecurity () webappsec org Subject: [WEB SECURITY] Re: SQL In the Request Just when i thought i had seen it all... -i come across a site which passes in the following as part of the REQUEST.. yes, the SWF builds a request and sends it through to a php server... in plain text. POST /flashsql.php?id=106 HTTP/1.1 = QUERYSTRING ==== id=106 = BODY ==== host=<HOSTNAME> sql_=SELECT DISTINCT(movies.id), movies.name, filename FROM movies LEFT JOIN groups_movies ON (movies.id = groups_movies.movie_id) LEFT JOIN groups ON (groups.id = groups_movies.group_id) LEFT JOIN files_groups ON (groups.id = files_groups.group_id) LEFT JOIN files ON (files.id = files_groups.file_id) WHERE movies.id IN(155,150,52,149,134,133,76) AND files.file_type_id=9 ORDER BY movies.id dat=sk_cms is there anyway that this can be "acceptable" ? ------------------------------------------------------------------------ ---- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ------------------------------------------------------------------------ ---- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Re: SQL In the Request Ory Segal (Oct 05)
- RE: [WEB SECURITY] Re: SQL In the Request Rowland (Oct 09)
- <Possible follow-ups>
- RE: [WEB SECURITY] Re: SQL In the Request Erez Metula (Oct 05)
- RE: [WEB SECURITY] Re: SQL In the Request Nish Bhalla (Oct 05)
- Re: [WEB SECURITY] Re: SQL In the Request bugtraq (Oct 05)
- Re: [WEB SECURITY] Re: SQL In the Request bryan allott (Oct 09)
- RE: [WEB SECURITY] Re: SQL In the Request Jeff Robertson (Oct 09)
- Re: [WEB SECURITY] Re: SQL In the Request bryan allott (Oct 09)
- Re: [WEB SECURITY] Re: SQL In the Request Rick Zhong (Oct 09)
- Re: [WEB SECURITY] Re: SQL In the Request bryan allott (Oct 09)