Marcos,
Please see inline,
On Wed, Sep 16, 2009 at 4:09 AM, Marcos Orallo Rodríguez
<mora...@cert.inteco.es> wrote:
> Hi list,
>
> I just read a blog post by Chema Alonso [1] (maybe the Spanish guys know
> him, or last BlackHat Europe atendees) about what he calls "Inverted SQL
> Injection".
Yes, I know him, and I think that I also know you from ekoparty
trainings, right?
> He tested different webapp vulnerability scanners against a vulnerable site
> with a blind sql injection sentence, only with the where comparison
> inverted:
>
> “Select * from noticias where ”+get(ID)+”=id;”
Interesting, never seen this before in my life. Maybe I haven't
seen it because I haven't been searching for it? Whats the experience
of others of the list with this subject? Any real life applications
that use it? I searched for some variations of this (0) in google code
search and didn't found much.
(0)
http://www.google.com/codesearch?hl=es&lr=&q=WHERE%22+.+%5C%24_GET%5C%5B.*%5C%5D+%5C.+%22%3D+id%22
> All the scanners tested (Acunetix, IBM Rational AppScan and Paros in this
> first episode) fail to find this vuln, even when they can detect it easily
> with the usual sentence.
And I completely understand why they don't find it.
> It is not likely to find this sentence in real apps, but it is perfectly
> valid. I am not sure if web app scanners, particularly w3af, should include
> testing patterns for this type of sentence (or maybe it already does?) What
> do you think?
It is a good question... and it all comes to a time vs. scan quality
trade-off. There are a lot of edge cases for every vuln, not only for
blind sql injection, the question is: "do we want the scanner to take
10 to 15 more minutes to run and find _everything_" or do we favor
speed? I think that this should be configurable. The users should be
the one that decides this. So my plan is to add this test in the
framework, but leave it disabled by default (for now). If at some
point we see that there are a lot of inverted sql vulns, then we can
enable it by default =)
> Probably the solution would be just to add more attack patterns to test,
> taking this sentence structure into account.
Yep.
> [1]
> http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-i-de-ii.html
> (in Spanish)
Thanks for your email =)
Waht do others think? Bernado Damele, are you still on the list?
Cheers,
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
