On Tue, Dec 2, 2014 at 8:36 PM, <travis+ml-lang...@subspacefield.org> wrote:
> On Tue, Dec 02, 2014 at 11:05:00AM -0800, Will Sargent wrote: > > Would "parse tree differential attack" overlap with this category as > well? > > > > http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=6553401 > > Full Text Here? > http://langsec.org/papers/langsec-tr.pdf > Yup, that's the technical report version of the IEEE paper. BTW, what do you & langsec think of this? > > Using parse tree validation to prevent SQL injection attacks (2005) > http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.9618 > Discussed in the paper above, actually. We made the same argument you do -- that attempting to recognise an SQL dialect using a "generic" SQL dialect opens up room for parse tree differential attacks much like how the X.509 attacks worked. Cheers, --mlp
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
