Full Disclosure mailing list archives
Re: FW: Introducing a new generic approach to detecting SQL injection
From: Mohit Muthanna <mohit.muthanna () gmail com>
Date: Sat, 23 Apr 2005 08:20:03 -0400
What is intriguing me about it is that it is a different way of approaching the problem of untrusted user input, one that uses the strengths of the dbms itself rather than relying on code written on a layer above the dbms to send safe data to the dbms.
True... it is novel. My guess is that it opens up a really big can of worms.
Because we are not talking about an attacker on a psql console, we are talking about an attacker passing characters through an interface layer that might be using different rules than the PostgreSQL parser. If I can encode' as a multibyte character in a way that the layer which is doing the escaping does not recognize it as a ' character, but the PostgreSQL parser does, then I can bypass your
I wasn't talking about the console either. But I see your point about weaknesses in the validation mechanisms of other interface layers adding an element of uncertainty. I'd like to add that in this case, prepared statements (or very restrictive regular expressions) would be invaluable.
attacks in the same way that it does. One form of attack I see that it won't recognise is a valid clause that extends the scope of the result set without invoking the name of a entity in the database: "' and 1=1 and 1='"
Yes. This is just one worm from the can. :-)
I have learned to worry when some piece of security seems easy.... :)
With good reason. Mohit. -- Mohit Muthanna [mohit (at) muthanna (uhuh) com] "There are 10 types of people. Those who understand binary, and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FW: Introducing a new generic approach to detecting SQL injection Glenn.Everhart (Apr 19)
- RE: FW: Introducing a new generic approach todetecting SQL injection Paul Melson (Apr 19)
- Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 20)
- Re: FW: Introducing a new generic approach to detecting SQL injection Paul J. Morris (Apr 22)
- Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 22)
- Re: FW: Introducing a new generic approach to detecting SQL injection Paul J. Morris (Apr 22)
- Message not available
- Re: FW: Introducing a new generic approach to detecting SQL injection Paul J. Morris (Apr 22)
- Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 23)
- Re: FW: Introducing a new generic approach to detecting SQL injection Bipin Gautam (Apr 23)
- Re: FW: Introducing a new generic approach to detecting SQL injection Mohit Muthanna (Apr 22)