WebApp Sec mailing list archives
RE: aspx applictions SQL Injection
From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Wed, 13 Oct 2004 10:42:12 +0100
Hi Ahmed, First of all, your are probably 'IT Audit Manager' and not 'IT Audit Manger' as your email saids at the very end :-) Second, your question ... Well, I posted myself a thread relating to your trouble on this list a couple of days ago (BTW, the thread seems still open): "ASP vs. ASP.NET". And the reply was was I was thinking: - You can do secure apps. and crap apps. with asp and asp.net ... - asp.net is easier to develop with than asp .... but harder to learn :). It's then so stupid to tell that using Perl/asp/asp.net/whatever language is THE solution: every language can be THE solution, if people using it are good enough to develop it in a good manner. But asp.net seems easier to secure than asp, that's sound OK. So the IT people you are talking do not seem very skilled to me, and maybe lazy as well. Maybe the best way to convince them is to make a compil of docs written by some gurus telling what I said below ... http://www.google.com/search?hl=fr&q=sql+injection+asp.net&lr= seems to me a good starting point :=) HTH ! -----Message d'origine----- De : Mohamed Ali [mailto:rxmohamed () hotmail com] Envoyé : mardi 12 octobre 2004 09:23 À : webappsec () securityfocus com Objet : aspx applictions SQL Injection Hi all, I did a full pen-test on my client's web application and almost I can get all data and data dictionary information I need through exploiting SQL injection vulnerabilities they have in many dynamic pages. The question is when I discussed these issues with IT people they recommend not to solve any of them but just converting to .Net technology I'm not familiar with Net tech. but this recommendation sounds weird to me IS THERE ANY WAY TO PROVE THAT THEIR RECOMMENDATION IS NOT ENOUGH TO PREVERT UNAUTHRIZED ACCESS THROUGH SQL INJECTION (their platform IIS ,SQL Server and Oracle ) Any suggestions would be appreciated. Thanks Ahmed Rashad IT Audit Manger Experts.ae _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.com/
Current thread:
- aspx applictions SQL Injection Mohamed Ali (Oct 12)
- Re: aspx applictions SQL Injection Adam Shostack (Oct 12)
- RE: aspx applictions SQL Injection Anil John (Oct 12)
- RE: (@) aspx applictions SQL Injection Don Tuer (Oct 15)
- <Possible follow-ups>
- RE: aspx applictions SQL Injection Michael Silk (Oct 12)
- RE: aspx applictions SQL Injection Bénoni MARTIN (Oct 14)