New post updated with w3af results, the same as with other scanners:
http://elladodelmal.blogspot.com/2009/09/inverted-sql-queries-ii-de-ii.html
Cheers,
Raul Siles escribió:
Andres,
I agree with your idea. We should add all these evasion
techniques as they show up, but not by default (at least yet, due to
the performance impact). A configurable option allowing the analyst to
select speed vs. in-depth testing would be the best way to go in my
opinion.
Cheers,
--
Raul Siles
www.raulsiles.com
On Wed, Sep 16, 2009 at 1:32 PM, Andres
Riancho <andres.rian...@gmail.com>
wrote:
Marcos,
Please see inline,
On Wed, Sep 16, 2009 at 4:09 AM, Marcos Orallo Rodríguez
< mora...@cert.inteco.es>
wrote:
> Hi list,
>
> I just read a blog post by Chema Alonso [1] (maybe the Spanish
guys know
> him, or last BlackHat Europe atendees) about what he calls
"Inverted SQL
> Injection".
Yes, I know him, and I think that I also know you from ekoparty
trainings, right?
> He tested different webapp vulnerability scanners against a
vulnerable site
> with a blind sql injection sentence, only with the where comparison
> inverted:
>
> “Select * from noticias where ”+get(ID)+”=id;”
Interesting, never seen this before in my life. Maybe I haven't
seen it because I haven't been searching for it? Whats the experience
of others of the list with this subject? Any real life applications
that use it? I searched for some variations of this (0) in google code
search and didn't found much.
(0) http://www.google.com/codesearch?hl=es&lr=&q=WHERE%22+.+%5C%24_GET%5C%5B.*%5C%5D+%5C.+%22%3D+id%22
> All the scanners tested (Acunetix, IBM Rational AppScan and Paros
in this
> first episode) fail to find this vuln, even when they can detect
it easily
> with the usual sentence.
And I completely understand why they don't find it.
> It is not likely to find this sentence in real apps, but it is
perfectly
> valid. I am not sure if web app scanners, particularly w3af,
should include
> testing patterns for this type of sentence (or maybe it already
does?) What
> do you think?
It is a good question... and it all comes to a time vs. scan quality
trade-off. There are a lot of edge cases for every vuln, not only for
blind sql injection, the question is: "do we want the scanner to take
10 to 15 more minutes to run and find _everything_" or do we favor
speed? I think that this should be configurable. The users should be
the one that decides this. So my plan is to add this test in the
framework, but leave it disabled by default (for now). If at some
point we see that there are a lot of inverted sql vulns, then we can
enable it by default =)
> Probably the solution would be just to add more attack patterns to
test,
> taking this sentence structure into account.
Yep.
Thanks for your email =)
Waht do others think? Bernado Damele, are you still on the list?
Cheers,
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference
in SF, CA
> is the only developer event you need to attend this year.
Jumpstart your
> developing skills, take BlackBerry mobile applications to market
and stay
> ahead of the curve. Join us from November 9-12, 2009.
Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/
------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF,
CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and
stay
ahead of the curve. Join us from November 9-12, 2009. Register
now!
http://p.sf.net/sfu/devconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
|