WebApp Sec mailing list archives
Re: aspx applictions SQL Injection
From: Adam Shostack <adam () homeport org>
Date: Tue, 12 Oct 2004 20:51:25 -0400
Offer to do another pen test, and only bill if you get through. :) Adam On Tue, Oct 12, 2004 at 08:23:16AM +0000, Mohamed Ali wrote: | Hi all, | | I did a full pen-test on my clients web application and almost I can get | all data and data dictionary information I need through exploiting SQL | injection vulnerabilities they have in many dynamic pages. | | The question is when I discussed these issues with IT people they | recommend not to solve any of them but just converting to .Net technology | Im not familiar with Net tech. but this recommendation sounds weird to me | IS THERE ANY WAY TO PROVE THAT THEIR RECOMMENDATION IS NOT ENOUGH TO | PREVERT UNAUTHRIZED ACCESS THROUGH SQL INJECTION (their platform IIS ,SQL | Server and Oracle ) | | | Any suggestions would be appreciated. | | Thanks | | | | Ahmed Rashad | IT Audit Manger | Experts.ae | | _________________________________________________________________ | Don't just search. Find. Check out the new MSN Search! | http://search.msn.com/ |
Current thread:
- aspx applictions SQL Injection Mohamed Ali (Oct 12)
- Re: aspx applictions SQL Injection Adam Shostack (Oct 12)
- RE: aspx applictions SQL Injection Anil John (Oct 12)
- RE: (@) aspx applictions SQL Injection Don Tuer (Oct 15)
- <Possible follow-ups>
- RE: aspx applictions SQL Injection Michael Silk (Oct 12)
- RE: aspx applictions SQL Injection Bénoni MARTIN (Oct 14)