Penetration Testing mailing list archives

Re: SQL injection

From: Matt Davis <stackinjection () gmail com>
Date: Thu, 9 Jun 2005 16:58:15 -0500

Just kind of an FYI...

It is probably not a good idea to list the vendors you use to protect
your network with to a security mailing list... especially a pen-test
one.

:-D

Cheers,
Matt

On 6/9/05, Faisal Khan <faisal () netxs com pk> wrote:



Well I'll be dog gone! I just wasn't aware of such devices out there in the
market (and I thought I was up to date! evidently not).

We protect our network with IPS (TopLayer), IDS (Juniper and GFI LANGuard &
SNORT) and Firewall (Juniper Netscreen) and always thought that would be
enough, but SQL injection has always been a concern. Since we are not able
to actively defend it - its in our TOS/SLA that we do NOT defend against
SQL Injections.

Thanks to all who pitched in an answer/suggestion.

Faisal



At 09:35 PM 6/9/2005, Richard Barrell wrote:

Hi Faisal,

There are dedicated devices that are designed to prevent attacks of
this sort - web application firewalls. Here are a list of
manufacturers that you should look into:

(in alphabetical order)

Imperva          - www.imperva.com/
Kavado           - www.imperva.com/
Netcontinuum     - www.netcontinuum.com/
Teros            - www.teros.com/
Watchfire (Sanctum) - www.watchfire.com

AND, if you'll forgive the plug,

Sentryware:       www.sentryware.com

Good luck in your search,

Rich

-----------------
FK> Pardon the ignorance, but is there any hardware/software based device that
FK> can outright prevent/mitigate (detect?) SQL injections? Would an IDS be
FK> able to prevent this?

---------------------
Richard Barrell, CCNP, CCDP
International Pre-Sales Manager

www.sentryware.com
Parque Empresarial Zuatzu
Edificio Urgull, 2ª local 10
20018 Donostia-San Sebastián
Spain

Tel: +34 943 31 73 30
Mvl: +34 646 97 10 18
Skype: mr_barrell




Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Cell: +92 (333) 216-1291
Email: faisal () netxs com pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk

Current thread:

RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services, (continued)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Geoff Varosky (Jun 07)
- Re: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services mike king (Jun 07)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services Erik Pace Birkholz (Jun 09)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services DUBRAWSKY, IDO (CALLISMA) (Jun 09)
  - Message not available
    - SQL injection Faisal Khan (Jun 09)
    - Re: SQL injection Joel Esler (Jun 09)
    - Re: SQL injection ilaiy (Jun 09)
    - Re: SQL injection Christian Martorella (Jun 09)
    - Re: SQL injection Richard Barrell (Jun 09)
    - Re: SQL injection Faisal Khan (Jun 09)
    - Re: SQL injection Matt Davis (Jun 09)
    - RE: SQL injection Aric Perminter (Jun 09)
- RE: pen-test on a windows 2003 server box whit MS-SQL and Terminal Services DUBRAWSKY, IDO (CALLISMA) (Jun 09)