From: Adriel T. Desautels (ad_listsnetragard.com)
Date: Mon Dec 15 2008 - 14:49:42 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Even stored procedures could be injected if no proper validation is
done, you know"

You can not perform SQL Injection against a web application that is
using properly designed Parameterized Stored Procedures. That means
that you would be using both Stored Procedures and a Parameterized
query. I don't think that I'm wrong, if I am then please prove it
because I don't know everything.

OWASP is the Open Web Application Security Project and it offers
sufficient resources to build a secure web application. If one follows
the OWASP guide and reads the OWASP material then they will be able to
build a sufficiently secure web application. Do you disagree?

I do however agree that a Penetration Tester should not fix the
application, but the tester should be able to provide a clear and
viable method for remediation. We deliver a variety of security
services to our customers, one of those being Web Application Security
Assessments. We include viable and realistic methods for remediation
in all of our deliverables. Anyone that doesn't isn't doing their job.

On Dec 15, 2008, at 3:34 PM, ArcSighter Elite wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Adriel T. Desautels wrote:
>> Hi there,
>> The real problem here is that you don't know what you are doing
>> (yet). Let me pad that by saying that you're clearly not a security
>> expert and as such you shouldn't be expected to know how to solve
>> this
>> problem. The solution is simple though, especially if you're dealing
>> with SQL Injection. Before I give you the solution for free (which
>> is
>> posted all over the web) I'll ramble on a bit.
>>
>> First, when you went through your "waves" of security experts,
>> what
>> was your decision criteria? I'll admit that there are not very many
>> real
>> "experts" out there and that there are a lot of fraudulent ones. A
>> real
>> expert would have provided you with a solution to your problem
>> immediately while some of the others (on this list too) have no clue
>> what they are doing. Unfortunately, most of your Certified Ethical
>> Hackers also don't have a clue (certifications are political and not
>> always a real representation of talent).
>>
>> Why am I taking the time to write this? Well honestly I am sick
>> and
>> tired of the bad name that these "Fake" security experts are giving
>> to
>> real experts. They offer "penetration tests" that start a $500.00, or
>> Web Application Security Assessments that start at $700.00 when it is
>> IMPOSSIBLE to do either at those prices.
>>
>> The fact of the matter is that your average and real "security
>> expert" will have a man hour rate of about 190-350 an hour. The
>> average
>> "good" web application penetration test will take more than 10
>> hours to
>> do. That does not include time to write reports, to do research, to
>> analyze unique issues, or to do a lot of the other manually
>> intensive
>> work that needs to be done to do the work properly. Can that all be
>> done for $500.00? You do the math.... (the answer is no). Generally
>> speaking if you are asking for an application assessment you're
>> going to
>> spend over $10,000.00. If you're not then you're getting ripped off.
>>
>> So anyway, the solution to your problem is as follows:
>>
>> 1-) Your problem appears to be that you suffer from exploitable
>> SQL
>> Injection Vulnerabilities.
>> 2-) Your solution is to implement Parameterized Stored
>> Procedures in
>> conjunction with strong input and data validation.
>>
>> Check out http://www.owasp.org as a reference, or you can hire my
>> team to do a kick-ass job and get you locked down good and tight. You
>> most probably have may other risks that you are unaware of that can
>> be
>> dealt with by the right team. If you have any questions I'm a big
>> proponent of free advice.
>>
>>>> From: harveyfrank <joetticadvisors.com>
>>>> Date: December 12, 2008 19:59:19 EST
>>>> To: pen-testsecurityfocus.com
>>>> Subject: Looking for help against Chinese Hacking Team
>>>>
>>>>
>>>> We've been battling the Chinese for several months now and have
>>>> gone
>>>> through
>>>> several waves of US security experts who have failed to stop them.
>>>> In their
>>>> defense, we are not on an unlimited budget and they've gotten us
>>>> to a
>>>> point
>>>> where it looks as though somewhere among the site's 400 scripts
>>>> is a SQL
>>>> injection vulnerability.
>>>>
>>>> Automated testing by a few pen test products seems to think we're
>>>> fine. We
>>>> definitely are not.
>>>>
>>>> Is it possible to hire a CEH to find the Chinese-discovered
>>>> vulnerability
>>>> for a few hundred dollars? (We aren't just being cheap, we've blown
>>>> our wad
>>>> on security that hasn't worked.) Would someone with intimate
>>>> knowledge of
>>>> the latest wave of Chinese attacks be required for this job?
>>>> Besides our
>>>> first rate security team that's just been beat, I've tried the $200
>>>> pen test
>>>> folks and they have all failed. Microsoft security help has also
>>>> failed.
>>>>
>>>> Advice (Besides porting to Linux)? Help?
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Looking-for-help-against-Chinese-Hacking-Team-tp20986210p20986210.html
>>>>
>>>> Sent from the Penetration Testing mailing list archive at
>>>> Nabble.com.
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> This list is sponsored by: Cenzic
>>>>
>>>> Security Trends Report from Cenzic
>>>> Stay Ahead of the Hacker Curve!
>>>> Get the latest Q2 2008 Trends Report now
>>>>
>>>> www.cenzic.com/landing/trends-report
>>>> ------------------------------------------------------------------------
>>>>
>>>
>>
>> Adriel T. Desautels
>> ad_listsnetragard.com
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Security Trends Report from Cenzic
>> Stay Ahead of the Hacker Curve!
>> Get the latest Q2 2008 Trends Report now
>>
>> www.cenzic.com/landing/trends-report
>> ------------------------------------------------------------------------
>>
>>
>
> Alluding my previous message, he isn't a security expert, and maybe I
> misunderstood about he wants to know HOW they're breaking in. Maybe I
> was wrong. In the meantime, I totally agree with you that
> non-knowledgeable security people are making bad fame to true experts.
> But think about your post. Even stored procedures could be injected if
> no proper validation is done, you know. Second, owasp will give him a
> framework about pen-testing web applications, although is gives some
> workarounds it's not designed to be some sort of secure coding guide.
> Secondly, we got something wrong here. The pen-tester shouldn't fix
> the
> application; developers must. And of course, input validation is the
> issue, behind SQL injection, BoFs, remote includes; isn't new, don't
> you
> think.
>
> Sincerely.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJRr9uH+KgkfcIQ8cRAtZIAJ4qDciOQM65eOZ3VceHi4hQIwIAGwCg9ZZ3
> 5LzYN+bwXiNel3+r/Gy5S9M=
> =BV75
> -----END PGP SIGNATURE-----

Adriel T. Desautels
ad_listsnetragard.com

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]