WebApp Sec mailing list archives
Re: XSS, SQL injection etc - permutations of input strings
From: Harrison Gladden <hgladden () gmail com>
Date: Sun, 19 Sep 2004 04:00:45 -0500
Good point.. but i think in some organizations unless you show the full extent of what could happen if the problem is not fixed, they are not likely to waste time and effort to fix it in a timely manner before things go haywire ~Harrison On Sat, 18 Sep 2004 19:15:54 -0400, Mike Andrews <mike () se fit edu> wrote:
Over the past few days I've seen many posts about different ways of encoding XSS/SQL injection strings, as well as leveraging a discovered vulnerability in order to get more information about the target (other DB fields/schema). The question I'd like to ask the list is once you know a particular input vector is vulnerable, why are people trying to push the exploit further, assuming that they are pen-testing rather than hacking the target? For the uninformed client, being able to show them that you 0wn3 their server/app once should be enough to treat *any* discovered flaw as serious enough to fix, even if it's only a JS alert box, a "or 1=1", or a "select from another table" attack. My assumption here is a tester should use a variety of inputs to see how an application responds, but when it's clear that there's a defect somewhere you report the flaw back to the developers, telling them what/when/how, etc, then work with them to ensure they only accept *valid* input and not just filter for all of the ways you've attacked the flaw. There's obviously alternative inputs (i.e. debugging to help understand the defect), re-testing issues, and ensuring the fix actually did what it was supposed to, but my belief is that once developers know they have a problem (for whatever reason) they are in much better position to put in a generic fix. Any thoughts on this. What is the point of extending an attack to (for example) discover the entire DB schema unless it is just showing off? Cheers, Mike ---- Mike Andrews Florida Institute of Technology
-- ___________________________________ Harrison Gladden <hgladden () gmail com> Computer Engineer & Science Major ~Past experience: He who never makes mistakes, never did anything that's worth.~
Current thread:
- XSS, SQL injection etc - permutations of input strings Mike Andrews (Sep 18)
- Re: XSS, SQL injection etc - permutations of input strings Harrison Gladden (Sep 20)
- RE: XSS, SQL injection etc - permutations of input strings Mike Andrews (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Eyal Udassin (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Ben Timby (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Keith Roberts (Sep 21)
- Re: XSS, SQL injection etc - permutations of input strings Devdas Bhagat (Sep 23)
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 27)
- Re: XSS, SQL injection etc - permutations of input strings James Barkley (Sep 29)
- Re: XSS, SQL injection etc - permutations of input strings Devdas Bhagat (Sep 23)
- Re: XSS, SQL injection etc - permutations of input strings Harrison Gladden (Sep 20)
- Re: XSS, SQL injection etc - permutations of input strings Jonathan Angliss (Sep 22)
- <Possible follow-ups>
- Re: XSS, SQL injection etc - permutations of input strings focus (Sep 21)
- RE: XSS, SQL injection etc - permutations of input strings Scovetta, Michael V (Sep 22)