Vulnerability Development mailing list archives

RE: xml over https

From: "Burke, Charles" <Charles_Burke () HomeDepot com>
Date: Mon, 7 Feb 2005 09:08:19 -0500

This web services was not using WS Security was it?
I am assuming the xml encryption was custom or was it provided by WSE?

-----Original Message-----
From: Mads Rasmussen [mailto:mads () opencs com br] 
Sent: Friday, February 04, 2005 7:33 AM
To: vuln-dev () securityfocus com
Subject: Re: xml over https

Actually it turned out to be way much simpler than I thought, the 
application sends text files between server and client, formatted in
XML. Some of the fields are encrypted with 3des but the key was
hardcoded and 
I managed to write a tiny program to decrypt the xml fields using their 
own dll without specifying the key ;-)

The application communicates through https with a portal vulnerable to 
sql injection. I haven't been able to find a login that suits but I have

mapped almost the whole DB using different queries.
If anyone know a nice guide to sql injection for SQL server (MS) I would

appreciate it

Regards,

Mads

Current thread:

xml over https Mads Rasmussen (Feb 02)
- <Possible follow-ups>
- RE: xml over https Butler, Theodore (Feb 05)
  - Re: xml over https Mads Rasmussen (Feb 05)
- Re: xml over https Barnett E. Kurtz (Feb 07)
- RE: xml over https Burke, Charles (Feb 07)
  - Re: xml over https Mads Rasmussen (Feb 11)