WebApp Sec mailing list archives

Re: ISA Server and SQL Injection

From: Matthieu Estrade <mestrade () apache org>
Date: Thu, 17 Feb 2005 21:56:49 +0000

Bogdan Tomchuk wrote:

Protection against this kind of injection is just other way of patching the
code, so useless, because this assume knowing difference between "good" and
"bad" URL, so for OWA, for example, you define list of templates for all
known "good" URL and anything else will be consider as SQL injection. I do
not understand why to spend money on expensive firewall staff if you can
patch or upgrade software.

Sure, if the patch is available. (A webapp firewall is a protectionagainst way to exploit a web app vulnerability, not against someidentified vulnerable application only). So patching is not the onlysolution. if it was, explain me why so many system are vulnerable toworm that exploit old vuln, and today, some worm are still doing so muchdisaster.

Now tell me how you protect a web app developped by an internal team, acustom web app. Which patch are you waiting and from who ??? i am notsure each company do automatic and permanent web vulnerability assessment.

Keep your software current is always better then "imaginable" security given
by software level firewall especially against SQL injection.

In a perfect world, maybe... You should say this to big companies withsecurity team, they are all dumb and do not understand security. theyshould not use firewall but only windows update program or apt-get distupgrade ;)

Do you know the life of a vulnerability ? many times, the vuln stayprivate, then public and then vendors do patch. How long between theprivate and the patch ?? sometimes few days, sometimes years... So youstay vuln during all this time because you are "up to date !!!"

Many big companies separate the team doing security, the one doing webdev, the one maintaining the network etc... All these team are notsynchronized on what happen in each other.When the security team is not in contact with the app guy and they arein charge of security. What are they doing ? they install some web appfirewall to prevent attack.

Current thread:

ISA Server and SQL Injection Rafael San Miguel (Feb 14)
- Re: ISA Server and SQL Injection Tim Hoolihan (Feb 17)
- <Possible follow-ups>
- RE: ISA Server and SQL Injection John Steer (Feb 15)
  - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 16)
    - Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 16)
    - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
    - Re: ISA Server and SQL Injection Bogdan Tomchuk (Feb 17)
    - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
    - RE: ISA Server and SQL Injection Marty Block (Feb 19)
    - Re: ISA Server and SQL Injection fantomas (Feb 28)
- RE: ISA Server and SQL Injection Hofmeyr, Michael (ZA - Johannesburg) (Feb 15)
  - Re: ISA Server and SQL Injection Darren Bounds (Feb 16)
- RE: ISA Server and SQL Injection charles freeman (Feb 16)
- RE: ISA Server and SQL Injection Roberto GABERGI (Feb 17)
- RE: ISA Server and SQL Injection Jeff Robertson (Feb 17)
  - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 17)
- RE: ISA Server and SQL Injection Sebastien Deleersnyder (Feb 19)
  - Re: ISA Server and SQL Injection Matthieu Estrade (Feb 19)

(Thread continues...)