Penetration Testing mailing list archives
Re: SQL injection
From: "DokFLeed" <dokfleed () dokfleed net>
Date: Fri, 10 Jun 2005 15:13:23 +0400
there was a CGI Shield once http://cgishield.com/ ,I am not sure what happened to the Author, domain is for sale, so I tried to go on with the Project for more than a year
It stops web Attacks, including SQL injections"IRax, is a PHP Gateway, it can be integrated in any Web Application to stop known atax. it prevents,SQL injections, XSS, and many other known atax. It depends mainly on PHP CLIENT/SERVER socket scripting "
http://www.dokfleed.net/irax/ its signature based, * signature file is separated * exceptions pages & fields are allowed * reporting templates built-in * faster interception engine * recoded reporting server All contributions are welcomed, DokFLeed----- Original Message ----- From: "Hernán M. Racciatti" <hracciatti () gmail com>
To: <pen-test () securityfocus com> Sent: Friday, June 10, 2005 10:40 PM Subject: Re: SQL injection On 6/10/05, Leandro Reox <lmet5on () fibertel com ar> wrote:
Like Todd says "nothing is 100% secure"
Is the real life...
so wellcoded web apps + good sigs based detections + good db diagramming + a lot of conscience makes a nice combo.
I agree, but I would add one or two additional items: security in depth and less privileges... p.d: In SQL Injection tactics, evasion OFTEN is possible ej: 'OR 1=1-- 'OR1=1-- 'or2>1-- %27%4f%52%20%31%3d%31%2d%2d %27%4f%52%20'a'=N'a' etc... Config n signatures is theoretically possible, but not in practical terms... Clean code is the only last defense.. My 2 cent. Bye. -- Hernán Marcelo Racciatti Core Team Member ISECOM (Institute for Security and Open Methodologies) Coordinator OISSG, Argentina (Open Information System Security Group) [mailto:hracciatti () gmail com] [http://www.hernanracciatti.com.ar]
Current thread:
- RE: Exploit Repositories and Due Diligence, (continued)
- RE: Exploit Repositories and Due Diligence Leandro Reox (Jun 09)
- RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
- Re: SQL injection Tim (Jun 09)
- Re: SQL injection James Riden (Jun 09)
- RE: SQL injection Leandro Reox (Jun 09)
- RE: SQL injection Todd Towles (Jun 09)
- RE: SQL injection Leandro Reox (Jun 10)
- Re: SQL injection Hernán M . Racciatti (Jun 10)
- Re: SQL injection DokFLeed (Jun 10)
- RE: SQL injection Leandro Reox (Jun 10)
- RE: SQL injection Faisal Khan (Jun 12)
- RE: SQL injection Faiz Ahmad Shuja (Jun 12)