RE: SQL injection

[Faisal Khan <faisal () netxs com pk>]

Folks,

Thank you for your recommendations. Needless to say I now have my hands 
full in reading up and learning about all the possible solutions out there.

Whilst I agree with the notion that bad coding is the main thing to avoid 
as afar as SQL Injections are concerned (or any other vulnerability for 
that matter), there is a question that begs to be answered. For "Service 
Providers" (emphasis supplied), providing secure hosting infrastructure, 
can only be in my opinion on the Layer 2/3 front. On the Application Layer 
(Layers 4-7) it is very hard for a service provider to provide secure 
solutions to code for which we have no "a priori" knowledge.

I just think by investing in such security gear (IPS, IDS, Firewalls, etc.) 
we are hopefully adding a layer of protection for our clients, knowing well 
that this protective layer could very well be breached.

But then I guess to sum in up in the crudest of terms, something is better 
than nothing.

Regards,

Faisal




At 01:43 PM 6/10/2005, Leandro Reox wrote:
> Good Point Todd, I think everybody here agree that the first countermeasure
> for SqlInjections attack is "Secure Programming". Badcoding will be your
> worst enemy at the time when "that kid insert a ' in your login form".
> There's no perfect appliance for this kind of attack and maybe hours of
> customizing sigs don't worth it. Most of SqlI attackers will give up after
> tipyng a fews " ' 'OR 1=1-- , I say most of them, because theres a lot of
> good SqlI practicioners out there.
> Like Todd says "nothing is 100% secure" so wellcoded web apps + good sigs
> based detections + good db diagramming + a lot of conscience makes a nice
> combo.
>
> Cheers !
>
>
>
> -----Original Message-----
> From: Todd Towles [mailto:toddtowles () brookshires com]
> Sent: Friday, June 10, 2005 3:16 AM
> To: James Riden; Tim
> Cc: pen-test () securityfocus com
> Subject: RE: SQL injection
>
> Well, Sig based detection is that that sig based. So I am sure that new
> attacks or old attacks may be able to bypass most IDS/IPS with various
> techinques. But no IDS or IPS system is perfect. No firewall or AV is
> perfect. We are talking about protection - nothing is 100% secure.
> Blocking the basic SQL injection attack is better than nothing at all.
>
> > -----Original Message-----
> > From: jriden () it029205 massey ac nz
> > [mailto:jriden () it029205 massey ac nz] On Behalf Of James Riden
> > Sent: Thursday, June 09, 2005 10:01 PM
> > To: Tim
> > Cc: pen-test () securityfocus com
> > Subject: Re: SQL injection
> >
> > Tim <tim-pentest () sentinelchicken org> writes:
> >
> > > I am sure many IPS/IDSes are great for stopping a lot of
> > attacks.  I
> > > find it incredibly hard to believe that they stop all.  It is far
> > > better to write good code in the first place.
> >
> > Definitely true.
> >
> > > To those people out there who recommended this or that IPS/IDS:
> > > Have you tested these against real attacks?
> >
> > Yes, I've caught real attacks using snort with the bleeding
> > rules. As you say, perhaps only the obvious ones though
> > ("xp_cmdshell").
> >
> > --
> > James Riden / j.riden () massey ac nz / Systems Security
> > Engineer GPG public key available at:
> > http://www.massey.ac.nz/~jriden/ This post does not
> > necessarily represent the views of my employer.
> >
> >



Faisal Khan
CEO
Net Access Communication
Systems (Private) Limited
_____________________________
1107 Park Avenue, 24-A, Block 6,
PECHS, Main Shahrah-e-Faisal,
Karachi 74500 (Pakistan)
Board: +92 (21) 111 222 377
Direct: +92 (21) 454-346
Fax: +92 (21) 454-4347
Cell: +92 (333) 216-1291
Email: faisal () netxs com pk
Web: <http://www.netxs.com.pk/>www.netxs.com.pk