[Dailydave] From blackbox to grey-box during Web App tests

Adriel Desautels adriel at netragard.com
Fri Oct 12 15:25:00 EDT 2007 

Regarding SQL Injection:
	
	Why don't more people just use Parameterized Stored Proceedures?  Is it
because there are implimentation issues or because people don't know
about them? Whats your opinion?

Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security


Dave Aitel wrote:
> So  Fortify has this out - it's interesting, but I think it's not what
> I want. Has anyone used it?
> 
> http://www.fortifysoftware.com/products/tracer/
> 
> I dunno why everyone gets so hung up on metrics when they should be
> going for the jugular.
> 
> What I want is to use SPIKE Proxy and while I'm testing the web app
> have every CreateProcess and SQL Statement fed to me and then have a
> filter so I can look only at what I care about (and avoid spamming
> their network too much - especially on busy sites).
> 
> Theoretically you could then write something that autodetected and
> bypassed filters and automated getting you your SQL injection in the
> first place. And you would have at least one eye in the land of the
> blind SQL Injection.
> 
> It's probably more work to write this email than write up the code
> using Immunity Debugger and SPIKE Proxy, so maybe I'll just go off and
> do that.
> 
> -dave
> 

_______________________________________________
Dailydave mailing list
Dailydave at lists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adriel.vcf
Type: text/x-vcard
Size: 298 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071012/9604a630/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20071012/9604a630/attachment.pgp

More information about the Dailydave mailing list