WebApp Sec mailing list archives

Re: aspx applictions SQL Injection

From: Adam Shostack <adam () homeport org>
Date: Tue, 12 Oct 2004 20:51:25 -0400

Offer to do another pen test, and only bill if you get through. :)

Adam

On Tue, Oct 12, 2004 at 08:23:16AM +0000, Mohamed Ali wrote:
| Hi all,
| 
| I did a full pen-test on my clients web application and almost I can get 
| all data and data dictionary information I need through exploiting SQL 
| injection vulnerabilities they have in many dynamic pages.
| 
| The question is when I discussed these issues with IT people  they 
| recommend not to solve any of them but just converting to   .Net technology 
| Im not familiar with Net tech. but this recommendation  sounds weird to me 
| IS THERE ANY WAY TO PROVE THAT THEIR RECOMMENDATION IS NOT ENOUGH TO 
| PREVERT UNAUTHRIZED ACCESS THROUGH SQL INJECTION (their platform  IIS ,SQL 
| Server and Oracle )
| 
| 
| Any suggestions would be appreciated.
| 
| Thanks
| 
| 
| 
| Ahmed Rashad
| IT Audit Manger
| Experts.ae
| 
| _________________________________________________________________
| Don't just search. Find. Check out the new MSN Search! 
| http://search.msn.com/
|

Current thread:

aspx applictions SQL Injection Mohamed Ali (Oct 12)
- Re: aspx applictions SQL Injection Adam Shostack (Oct 12)
- RE: aspx applictions SQL Injection Anil John (Oct 12)
- RE: (@) aspx applictions SQL Injection Don Tuer (Oct 15)
- <Possible follow-ups>
- RE: aspx applictions SQL Injection Michael Silk (Oct 12)
- RE: aspx applictions SQL Injection Bénoni MARTIN (Oct 14)