Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: ISA Server and SQL Injection
From: Matthieu Estrade (mestradeapache.org)
Date: Thu Feb 17 2005 - 15:39:01 CST
Jeff Robertson wrote:
>>From: Matthieu Estrade [mailto:mestradeapache.org]
>>Sent: Thursday, February 17, 2005 08:58
>>Subject: Re: ISA Server and SQL Injection
>>Yes sure, if you code application using in parameter some SQL
>>should read "howto do secure code for webapp"....
>>Application mainly use value after used by the application inside a
>>query, but the query is in the code.
>>http://www.toto.com/test.php?product_id=4 is ok and there is
>>NO WAY to
>>see here some SQL Syntax.
>%20id=4 is not ok, and you shoud fire developper doing this....
>What if your web app is a web based forum where people discuss web security,
>and someone participating in a discussion about SQL Injection wants to post
>a message that has some SQL in it? How will the firewall know if from the
I totally agree with you, but in this case, all your traffic containing
possible attack will wake up all security detection system. What you
speak about can be protected with a good whitelist setup with the
knowledge of the forum to secure. A blacklist will always warn and block...
It depend how you want to secure your webapp.
No setup -> blacklist with the limitation of a pattern matching protection
Setup -> whitelist with all granular filter on each parameters and url.
>Manager of Web Application Security