NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Immunitysec Daily Dave> 2007-q4

Re: [Dailydave] From blackbox to grey-box during Web App tests

From: Adriel Desautels (adrielnetragard.com)
Date: Fri Oct 12 2007 - 14:25:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Regarding SQL Injection:

Why don't more people just use Parameterized Stored Proceedures? Is it
because there are implimentation issues or because people don't know
about them? Whats your opinion?

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Dave Aitel wrote:
> So Fortify has this out - it's interesting, but I think it's not what
> I want. Has anyone used it?
>
> http://www.fortifysoftware.com/products/tracer/
>
> I dunno why everyone gets so hung up on metrics when they should be
> going for the jugular.
>
> What I want is to use SPIKE Proxy and while I'm testing the web app
> have every CreateProcess and SQL Statement fed to me and then have a
> filter so I can look only at what I care about (and avoid spamming
> their network too much - especially on busy sites).
>
> Theoretically you could then write something that autodetected and
> bypassed filters and automated getting you your SQL injection in the
> first place. And you would have at least one eye in the land of the
> blind SQL Injection.
>
> It's probably more work to write this email than write up the code
> using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and
> do that.
>
> -dave
>

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

application/pgp-signature attachment: OpenPGP digital signature

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]