FYI Team,
---------- Forwarded message ---------- From: MustLive <[email protected]> Date: 2010/12/30 Subject: [WEB SECURITY] SQL Smuggling: New methods of SQL Smuggling To: [email protected] Hello participants of Mailing List. In October and November I wrote series of articles about SQL Smuggling and now I'll post short English versions of them for you. In case if such topic is interesting for you. In beginning of the year I read whitepaper of Avi Douglen about SQL Smuggling (http://www.comsecglobal.com/FrameWork/Upload/SQL_smuggling.pdf). Which was interesting information for me - I'm using bypassing techniques for many years and bypassing different WAFs, IPS and IDS all the time from 2006 (for different attacks, including SQL Injection), but I never used such term as SQL Smuggling. But the term itself looks interesting ;-). So I decided to write series of articles as about SQL Smuggling, as about new and advanced methods of it. And after I wrote review of above-mentioned whitepaper about SQL Smuggling (in October), I wrote article New methods of SQL Smuggling (http://websecurity.com.ua/4632/). In this article I told about two new methods of SQL Smuggling (which were developed after releasing of that whitepaper). The next ones belong to new methods of SQL Smuggling: 1. Using of specific encoding in SQL query. Example of such vulnerability in web applications and the attack on it is SQL Injection vulnerability in WordPress via encoding. The vulnerability was found by Abel Cheung in 2007. 2. String truncation in MySQL. The attack on truncation of string in MySQL was developed by Stefan Esser in 2008. Example of using of this attack method is the vulnerability in WordPress 2.6.1. In the next post of this series I'll tell you about advanced methods of SQL Smuggling (which were developed by me). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email [email protected] and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
