Ok so I have some thoughts. No official format. 1) SQL INJECTION
"SQL injection does not work with stored procedures"...Shakes pear 1654 example: X = WEB VARIABLE = INTEGER X = 10 EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10 ~ X = 10;EXEC MASTER..XP_CMDSHELL'' EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL'' 2) SQL TIP SET NOEXEC = Compiles each query but does not execute it. If 007 knowns the field names used in a web page creation then 007 can obtain information from the second query. 3) http://www.microsoft.com/technet/security/bulletin/MS01-060.asp Of course any tester that obtains sql injection capabilities on a test site can abuse this if the test site is not patched. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
