|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: ISA Server and SQL Injection
From: Matthieu Estrade (mestrade
apache.org)
Date: Thu Feb 17 2005 - 15:39:01 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jeff Robertson wrote:
>>-----Original Message-----
>>From: Matthieu Estrade [mailto:mestradeapache.org]
>>Sent: Thursday, February 17, 2005 08:58
>>To: webappsecsecurityfocus.com
>>Subject: Re: ISA Server and SQL Injection
>>
>>Yes sure, if you code application using in parameter some SQL
>>query, you
>>should read "howto do secure code for webapp"....
>>Application mainly use value after used by the application inside a
>>query, but the query is in the code.
>>
>>http://www.toto.com/test.php?product_id=4 is ok and there is
>>NO WAY to
>>see here some SQL Syntax.
>>
>>http://www.toto.com/test.php?product_id=SELECT%20*%20FROM%20pr
>>
>>
>oduct%20WHERE
>%20id=4 is not ok, and you shoud fire developper doing this....
>
>What if your web app is a web based forum where people discuss web security,
>and someone participating in a discussion about SQL Injection wants to post
>a message that has some SQL in it? How will the firewall know if from the
>real thing?
>
>
>
>
I totally agree with you, but in this case, all your traffic containing
possible attack will wake up all security detection system. What you
speak about can be protected with a good whitelist setup with the
knowledge of the forum to secure. A blacklist will always warn and block...
It depend how you want to secure your webapp.
No setup -> blacklist with the limitation of a pattern matching protection
Setup -> whitelist with all granular filter on each parameters and url.
>Jeff Robertson
>Manager of Web Application Security
>Digital Insigh
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]