Penetration Testing mailing list archives
Re: SQL injection
From: Matt Davis <stackinjection () gmail com>
Date: Thu, 9 Jun 2005 16:58:15 -0500
Just kind of an FYI... It is probably not a good idea to list the vendors you use to protect your network with to a security mailing list... especially a pen-test one. :-D Cheers, Matt On 6/9/05, Faisal Khan <faisal () netxs com pk> wrote:
Well I'll be dog gone! I just wasn't aware of such devices out there in the market (and I thought I was up to date! evidently not). We protect our network with IPS (TopLayer), IDS (Juniper and GFI LANGuard & SNORT) and Firewall (Juniper Netscreen) and always thought that would be enough, but SQL injection has always been a concern. Since we are not able to actively defend it - its in our TOS/SLA that we do NOT defend against SQL Injections. Thanks to all who pitched in an answer/suggestion. Faisal At 09:35 PM 6/9/2005, Richard Barrell wrote:Hi Faisal, There are dedicated devices that are designed to prevent attacks of this sort - web application firewalls. Here are a list of manufacturers that you should look into: (in alphabetical order) Imperva - www.imperva.com/ Kavado - www.imperva.com/ Netcontinuum - www.netcontinuum.com/ Teros - www.teros.com/ Watchfire (Sanctum) - www.watchfire.com AND, if you'll forgive the plug, Sentryware: www.sentryware.com Good luck in your search, Rich ----------------- FK> Pardon the ignorance, but is there any hardware/software based device that FK> can outright prevent/mitigate (detect?) SQL injections? Would an IDS be FK> able to prevent this? --------------------- Richard Barrell, CCNP, CCDP International Pre-Sales Manager www.sentryware.com Parque Empresarial Zuatzu Edificio Urgull, 2ª local 10 20018 Donostia-San Sebastián Spain Tel: +34 943 31 73 30 Mvl: +34 646 97 10 18 Skype: mr_barrellFaisal Khan CEO Net Access Communication Systems (Private) Limited _____________________________ 1107 Park Avenue, 24-A, Block 6, PECHS, Main Shahrah-e-Faisal, Karachi 74500 (Pakistan) Board: +92 (21) 111 222 377 Direct: +92 (21) 454-346 Fax: +92 (21) 454-4347 Cell: +92 (333) 216-1291 Email: faisal () netxs com pk Web: <http://www.netxs.com.pk/>www.netxs.com.pk
Current thread:
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services, (continued)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Geoff Varosky (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services mike king (Jun 07)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Erik Pace Birkholz (Jun 09)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services DUBRAWSKY, IDO (CALLISMA) (Jun 09)
- Message not available
- SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Joel Esler (Jun 09)
- Re: SQL injection ilaiy (Jun 09)
- Re: SQL injection Christian Martorella (Jun 09)
- Re: SQL injection Richard Barrell (Jun 09)
- Re: SQL injection Faisal Khan (Jun 09)
- Re: SQL injection Matt Davis (Jun 09)
- Message not available
- RE: SQL injection Aric Perminter (Jun 09)