Andres,I agree with your idea. We should add all these evasion techniques as
they show up, but not by default (at least yet, due to the performance
impact). A configurable option allowing the analyst to select speed vs.
in-depth testing would be the best way to go in my opinion.
Cheers,
--
Raul Siles
www.raulsiles.com
On Wed, Sep 16, 2009 at 1:32 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Marcos,
>
> Please see inline,
>
> On Wed, Sep 16, 2009 at 4:09 AM, Marcos Orallo Rodríguez
> <mora...@cert.inteco.es> wrote:
> > Hi list,
> >
> > I just read a blog post by Chema Alonso [1] (maybe the Spanish guys know
> > him, or last BlackHat Europe atendees) about what he calls "Inverted SQL
> > Injection".
>
> Yes, I know him, and I think that I also know you from ekoparty
> trainings, right?
>
> > He tested different webapp vulnerability scanners against a vulnerable
> site
> > with a blind sql injection sentence, only with the where comparison
> > inverted:
> >
> > “Select * from noticias where ”+get(ID)+”=id;”
>
> Interesting, never seen this before in my life. Maybe I haven't
> seen it because I haven't been searching for it? Whats the experience
> of others of the list with this subject? Any real life applications
> that use it? I searched for some variations of this (0) in google code
> search and didn't found much.
>
> (0)
> http://www.google.com/codesearch?hl=es&lr=&q=WHERE%22+.+%5C%24_GET%5C%5B.*%5C%5D+%5C.+%22%3D+id%22
>
> > All the scanners tested (Acunetix, IBM Rational AppScan and Paros in this
> > first episode) fail to find this vuln, even when they can detect it
> easily
> > with the usual sentence.
>
> And I completely understand why they don't find it.
>
> > It is not likely to find this sentence in real apps, but it is perfectly
> > valid. I am not sure if web app scanners, particularly w3af, should
> include
> > testing patterns for this type of sentence (or maybe it already does?)
> What
> > do you think?
>
> It is a good question... and it all comes to a time vs. scan quality
> trade-off. There are a lot of edge cases for every vuln, not only for
> blind sql injection, the question is: "do we want the scanner to take
> 10 to 15 more minutes to run and find _everything_" or do we favor
> speed? I think that this should be configurable. The users should be
> the one that decides this. So my plan is to add this test in the
> framework, but leave it disabled by default (for now). If at some
> point we see that there are a lot of inverted sql vulns, then we can
> enable it by default =)
>
> > Probably the solution would be just to add more attack patterns to test,
> > taking this sentence structure into account.
>
> Yep.
>
> > [1]
> >
> http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-i-de-ii.html
> > (in Spanish)
>
> Thanks for your email =)
> Waht do others think? Bernado Damele, are you still on the list?
>
> Cheers,
>
> >
> ------------------------------------------------------------------------------
> > Come build with us! The BlackBerry® Developer Conference in SF, CA
> > is the only developer event you need to attend this year. Jumpstart your
> > developing skills, take BlackBerry mobile applications to market and stay
> > ahead of the curve. Join us from November 9-12, 2009. Register
> now!
> > http://p.sf.net/sfu/devconf
> > _______________________________________________
> > W3af-develop mailing list
> > W3af-develop@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
> >
>
>
>
> --
> Andrés Riancho
> Founder, Bonsai - Information Security
> http://www.bonsai-sec.com/
> http://w3af.sf.net/
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
