Penetration Testing mailing list archives
RE: SQL injection
From: Faisal Khan <faisal () netxs com pk>
Date: Sun, 12 Jun 2005 20:06:28 +0500
Folks,Thank you for your recommendations. Needless to say I now have my hands full in reading up and learning about all the possible solutions out there.
Whilst I agree with the notion that bad coding is the main thing to avoid as afar as SQL Injections are concerned (or any other vulnerability for that matter), there is a question that begs to be answered. For "Service Providers" (emphasis supplied), providing secure hosting infrastructure, can only be in my opinion on the Layer 2/3 front. On the Application Layer (Layers 4-7) it is very hard for a service provider to provide secure solutions to code for which we have no "a priori" knowledge.
I just think by investing in such security gear (IPS, IDS, Firewalls, etc.) we are hopefully adding a layer of protection for our clients, knowing well that this protective layer could very well be breached.
But then I guess to sum in up in the crudest of terms, something is better than nothing.
Regards, Faisal At 01:43 PM 6/10/2005, Leandro Reox wrote:
Good Point Todd, I think everybody here agree that the first countermeasure for SqlInjections attack is "Secure Programming". Badcoding will be your worst enemy at the time when "that kid insert a ' in your login form". There's no perfect appliance for this kind of attack and maybe hours of customizing sigs don't worth it. Most of SqlI attackers will give up after tipyng a fews " ' 'OR 1=1-- , I say most of them, because theres a lot of good SqlI practicioners out there. Like Todd says "nothing is 100% secure" so wellcoded web apps + good sigs based detections + good db diagramming + a lot of conscience makes a nice combo. Cheers ! -----Original Message----- From: Todd Towles [mailto:toddtowles () brookshires com] Sent: Friday, June 10, 2005 3:16 AM To: James Riden; Tim Cc: pen-test () securityfocus com Subject: RE: SQL injection Well, Sig based detection is that that sig based. So I am sure that new attacks or old attacks may be able to bypass most IDS/IPS with various techinques. But no IDS or IPS system is perfect. No firewall or AV is perfect. We are talking about protection - nothing is 100% secure. Blocking the basic SQL injection attack is better than nothing at all. > -----Original Message----- > From: jriden () it029205 massey ac nz > [mailto:jriden () it029205 massey ac nz] On Behalf Of James Riden > Sent: Thursday, June 09, 2005 10:01 PM > To: Tim > Cc: pen-test () securityfocus com > Subject: Re: SQL injection > > Tim <tim-pentest () sentinelchicken org> writes: > > > I am sure many IPS/IDSes are great for stopping a lot of > attacks. I > > find it incredibly hard to believe that they stop all. It is far > > better to write good code in the first place. > > Definitely true. > > > To those people out there who recommended this or that IPS/IDS: > > Have you tested these against real attacks? > > Yes, I've caught real attacks using snort with the bleeding > rules. As you say, perhaps only the obvious ones though > ("xp_cmdshell"). > > -- > James Riden / j.riden () massey ac nz / Systems Security > Engineer GPG public key available at: > http://www.massey.ac.nz/~jriden/ This post does not > necessarily represent the views of my employer. > >
Faisal Khan CEO Net Access Communication Systems (Private) Limited _____________________________ 1107 Park Avenue, 24-A, Block 6, PECHS, Main Shahrah-e-Faisal, Karachi 74500 (Pakistan) Board: +92 (21) 111 222 377 Direct: +92 (21) 454-346 Fax: +92 (21) 454-4347 Cell: +92 (333) 216-1291 Email: faisal () netxs com pk Web: <http://www.netxs.com.pk/>www.netxs.com.pk
Current thread:
- RE: Exploit Repositories and Due Diligence, (continued)
- RE: Exploit Repositories and Due Diligence Sahir Hidayatullah (Jun 10)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 14)
- RE: Exploit Repositories and Due Diligence Carl Tucker (Jun 20)
- Re: SQL injection Tim (Jun 09)
- Re: SQL injection James Riden (Jun 09)
- RE: SQL injection Leandro Reox (Jun 09)
- RE: SQL injection Todd Towles (Jun 09)
- RE: SQL injection Leandro Reox (Jun 10)
- Re: SQL injection HernĂ¡n M . Racciatti (Jun 10)
- Re: SQL injection DokFLeed (Jun 10)
- RE: SQL injection Leandro Reox (Jun 10)
- RE: SQL injection Faisal Khan (Jun 12)
- RE: SQL injection Faiz Ahmad Shuja (Jun 12)