WebApp Sec mailing list archives
RE: XSS, SQL injection etc - permutations of input strings
From: "Mike Andrews" <mike () se fit edu>
Date: Tue, 21 Sep 2004 00:41:24 -0400
******* Please don't read on any further if you were planning to post a reply to the original message. ******* So, firstly thanks to the people that have (or still are) replying to the original message. Please keep them coming. I appreciate the insights from the people "on the front lines". I must say that I had a bit of an ulterior motive for posting the question in the first place and I'm getting the kind of (great) replies I expected. It seems that most companies want/need an exploit to prompt a fix. I think that's just plain wrong, although I can see some of the cost/benefit arguments. If there's a few vulnerabilities to fix then of course they need to be triaged, but I think that there's better ways than spending time in creating an exploit (DREAD, etc?). For example, in my experience, crafting certain buffer overflows can be quite time consuming and at the very least there's a DOS attack in there somewhere. The time spent crafting the exploit may be better spent (e.g. doing further testing). In the current security conscious climate, I would have hoped that any vulnerability would be closed without debate, but I've certainly experienced times when vulnerabilities weren't fixed without an exploit (even returned "no repro") and sometimes even when a really good exploit was provided it wasn't fixed for some time. Also, I don't particularly like the idea of *having* to produce an exploit to get a fix. If we go back to the old IEEE definition of a defect (bug) then somewhere there's a flaw in the program that may (or may not) produce a failure (or failures). I have no evidence here, part of the ulterior motive of looking to see why developers create bugs in the first place and how they were fixed, but by providing an exploit developers may fixate on the failure rather than the flaw, leaving the flaw in the program for future exploitation that we may not currently know. I do agree however that following an exploit though can be a great way to uncover further vulnerabilities. The example that I have is an SQL injection - you may be able to select from the original table, but are there additional permissions on the DB so you can't get to information you shouldn't have (i.e. defense in depth). Once again thanks. Cheers, Mike. ---- Mike Andrews Florida Institute of Technology.
On Sat, 18 Sep 2004 19:15:54 -0400, Mike Andrews <mike () se fit edu> wrote:Over the past few days I've seen many posts about different ways ofencodingXSS/SQL injection strings, as well as leveraging a discoveredvulnerabilityin order to get more information about the target (other DBfields/schema).The question I'd like to ask the list is once you know a particularinputvector is vulnerable, why are people trying to push the exploit further, assuming that they are pen-testing rather than hacking the target? Fortheuninformed client, being able to show them that you 0wn3 theirserver/apponce should be enough to treat *any* discovered flaw as serious enoughtofix, even if it's only a JS alert box, a "or 1=1", or a "select fromanothertable" attack. My assumption here is a tester should use a variety of inputs to see howanapplication responds, but when it's clear that there's a defectsomewhereyou report the flaw back to the developers, telling them what/when/how,etc,then work with them to ensure they only accept *valid* input and notjustfilter for all of the ways you've attacked the flaw. There's obviously alternative inputs (i.e. debugging to help understand the defect), re-testing issues, and ensuring the fix actually did what it wassupposedto, but my belief is that once developers know they have a problem (for whatever reason) they are in much better position to put in a genericfix.Any thoughts on this. What is the point of extending an attack to (for example) discover the entire DB schema unless it is just showing off? Cheers, Mike ---- Mike Andrews Florida Institute of Technology-- ___________________________________ Harrison Gladden <hgladden () gmail com> Computer Engineer & Science Major ~Past experience: He who never makes mistakes, never did anything that's worth.~
Current thread:
- XSS, SQL injection etc - permutations of input strings Mike Andrews (Sep 18)
- Re: XSS, SQL injection etc - permutations of input strings Harrison Gladden (Sep 20)
- RE: XSS, SQL injection etc - permutations of input strings Mike Andrews (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Eyal Udassin (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Ben Timby (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 21)
- Re: XSS, SQL injection etc - permutations of input strings Devdas Bhagat (Sep 23)
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 27)
- Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 29)
- Re: XSS, SQL injection etc - permutations of input strings Devdas Bhagat (Sep 23)
- Re: XSS, SQL injection etc - permutations of input strings Harrison Gladden (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Jonathan Angliss (Sep 22)
- <Possible follow-ups>
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Scovetta, Michael V (Sep 22)
- RE: XSS, SQL injection etc - permutations of input strings Frank Knobbe (Sep 24)