Dailydave mailing list archives
Re: From blackbox to grey-box during Web App tests
From: Adriel Desautels <adriel () netragard com>
Date: Fri, 12 Oct 2007 15:25:00 -0400
Regarding SQL Injection: Why don't more people just use Parameterized Stored Proceedures? Is it because there are implimentation issues or because people don't know about them? Whats your opinion? Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Dave Aitel wrote:
So Fortify has this out - it's interesting, but I think it's not what I want. Has anyone used it? http://www.fortifysoftware.com/products/tracer/ I dunno why everyone gets so hung up on metrics when they should be going for the jugular. What I want is to use SPIKE Proxy and while I'm testing the web app have every CreateProcess and SQL Statement fed to me and then have a filter so I can look only at what I care about (and avoid spamming their network too much - especially on busy sites). Theoretically you could then write something that autodetected and bypassed filters and automated getting you your SQL injection in the first place. And you would have at least one eye in the land of the blind SQL Injection. It's probably more work to write this email than write up the code using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and do that. -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Attachment:
adriel.vcf
Description:
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- From blackbox to grey-box during Web App tests Dave Aitel (Oct 09)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 10)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 10)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 11)
- Re: From blackbox to grey-box during Web App tests J.M. Seitz (Oct 12)
- Re: From blackbox to grey-box during Web App tests Matt Hargett (Nov 07)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 11)
- Re: From blackbox to grey-box during Web App tests Adriel Desautels (Oct 13)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 14)
- Re: From blackbox to grey-box during Web App tests C Q (Oct 14)
- Re: From blackbox to grey-box during Web App tests J.M. Seitz (Oct 15)
- Re: From blackbox to grey-box during Web App tests C Q (Oct 14)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 14)