Home page logo

webappsec logo WebApp Sec mailing list archives

RE: SQL Injection
From: "Michael Silk" <michaels () phg com au>
Date: Thu, 10 Jun 2004 09:01:56 +1000

Hi Gunter,

        I fail to see site who mititages SQL Injection via appropriate escaping
        can be susceptible to SQL Injection due to XSS.

        On that note, if XSS and SQL Injection are both possible, stopping XSS will
        not stop SQL Injection, however it may allow for some more sneaky implementations
        of it.

        I was attempting to clear up the thought that the other poster had who
        seemed to think by stopping XSS he would also stop SQL Injection, of course
        this isn't true.

-- Michael

-----Original Message-----
From: WebAppSecurity [Technicalinfo.net]
[mailto:webappsec () technicalinfo net]
Sent: Thursday, 10 June 2004 5:10 AM
To: Michael Silk; 'Steven M. Christey'; webappsec () securityfocus com
Subject: RE: SQL Injection

      There are many many more possibilities for XSS then simply the 
      <script> tag, of course it depends on where the resulting string
      ends up, but simply replacing the <script> tag is *not* enough.

You may want to have a read of http://www.technicalinfo.net/papers/CSS.html
which goes into some of the alternitive atack vectors - and can readily
ported across for SQL insertion... In fact any code insertion attack



This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]