Dailydave: Re: From blackbox to grey-box during Web App tests

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Dailydave mailing list archives

Re: From blackbox to grey-box during Web App tests

From: Adriel Desautels <adriel () netragard com>
Date: Fri, 12 Oct 2007 15:25:00 -0400

Regarding SQL Injection:
        
        Why don't more people just use Parameterized Stored Proceedures?  Is it
because there are implimentation issues or because people don't know
about them? Whats your opinion?

Regards,
        Adriel T. Desautels
        Chief Technology Officer
        Netragard, LLC.
        Office : 617-934-0269
        Mobile : 617-633-3821
        http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security


Dave Aitel wrote:

So  Fortify has this out - it's interesting, but I think it's not what
I want. Has anyone used it?

http://www.fortifysoftware.com/products/tracer/

I dunno why everyone gets so hung up on metrics when they should be
going for the jugular.

What I want is to use SPIKE Proxy and while I'm testing the web app
have every CreateProcess and SQL Statement fed to me and then have a
filter so I can look only at what I care about (and avoid spamming
their network too much - especially on busy sites).

Theoretically you could then write something that autodetected and
bypassed filters and automated getting you your SQL injection in the
first place. And you would have at least one eye in the land of the
blind SQL Injection.

It's probably more work to write this email than write up the code
using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and
do that.

-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Attachment: adriel.vcf
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

By Date By Thread

Current thread:

Re: From blackbox to grey-box during Web App tests, (continued)
- Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 10)
- Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 10)
  - Re: From blackbox to grey-box during Web App tests Andre Gironda (Oct 11)
    - Re: From blackbox to grey-box during Web App tests J.M. Seitz (Oct 12)
    - Re: From blackbox to grey-box during Web App tests Matt Hargett (Nov 07)
- Re: From blackbox to grey-box during Web App tests Adriel Desautels (Oct 13)
  - Re: From blackbox to grey-box during Web App tests Thomas Ptacek (Oct 14)
    - Re: From blackbox to grey-box during Web App tests C Q (Oct 14)
    - Re: From blackbox to grey-box during Web App tests J.M. Seitz (Oct 15)
    - Re: From blackbox to grey-box during Web App tests C Q (Oct 14)