Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: XSS, SQL injection etc - permutations of input strings

from [James Barkley] Network Security [Permanent Link]
Subject: Re: XSS, SQL injection etc - permutations of input strings
Date: Thu, 30 Sep 2004 06:26:18 -0400 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Depends on your setup and what you care about.  We review our weblogs
nightly and it is much much easier to see attempted hacks, including
the exact strings in sequential order.  Some sites probably see so
many sql injections or xss a day  they may not care.  However, if you
are talking about an intranet site then it is a big deal if you see
"https://intranet/login.php?user_id=1 AND select * from user" in your
weblog because it means you've got a personnel problem.  Perhaps
scrutinizing your weblogs this much seems paranoid, but it has helped
me on more than one occassion.

As far as keeping name value pairs out of the browser history, well,
nothing replaces common sense.  Don't use get requests to pass cc
numbers, passwords, session hashes, etc.

Shields, Larry wrote:

| Yet, if you don't require it, it doesn't hurt.  Keep the name/value
|pairs out of the browser history & web logs, if there's no real need to
|have them there (and if it's not https, out of the proxy logs & referer
|headers). Get rid of yet more possible sources of information
|disclosure.
|
|-Larry
|
|-----Original Message-----
|From: James Barkley [mailto:James.Barkley@noaa.gov]
|Sent: Tuesday, September 28, 2004 1:06 AM
|To: focus@karsites.net; webappsec@securityfocus.com
|Subject: Re: XSS, SQL injection etc - permutations of input strings
|
|*** PGP SIGNATURE VERIFICATION ***
|*** Status:   Unknown Signature
|*** Signer:   Unknown Key (0x6725FF31)
|*** Signed:   9/28/2004 1:05:42 AM
|*** Verified: 9/29/2004 2:30:41 PM
|*** BEGIN PGP VERIFIED MESSAGE ***
|
|
|Turning off GET requests may not buy you as much as you think.  Any
|dedicated hacker who is going to be attempting xss or sql injection,
|etc. probably knows how to save a page and tamper the post form vars.
|Also, if you do regular log checks variable tampering through GET
|requests is typically much easier to spot as the entire URL is logged
|and you can see hacking attempts as part of the URL request.
|
|*snip*


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBW99HBtvwQGcl/zERAs85AJ0aIUU0Vx6RvLR/C7KGFV1oNJjtfQCeLHLW
OsAo3onm7Uvkzn4B0CQA+qY=
=8vKd
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hacking/security in main-stream media, Damon Leung
Next by Date:  Re: Hacking/security in main-stream media, Vlado Blaskov
Previous by Thread:  RE: XSS, SQL injection etc - permutations of input strings, Shields, Larry
Next by Thread:  online bill payment using OFX or similar?, Ido Rosen
Indexes:  [Date] [Thread] [Top] [All Lists]