Re: [SC-L] Lateral SQL injection paper

2008-04-30 Thread Mary and Glenn Everhart
Let me suggest something a little differently: Perhaps when speaking of web app security, an already enormous area, it is not so useful to enlarge it still more, but fools rush in. One way to look at web code (and many other kinds) is that we are sending strings to an interpreter and it does

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Joe Teff
Manico [EMAIL PROTECTED] To: Kenneth Van Wyk [EMAIL PROTECTED] Cc: Secure Coding SC-L@securecoding.org Date: Mon, 28 Apr 2008 15:27:58 -0400 Subject: Re: [SC-L] Lateral SQL injection paper Anyone else have a take on this new attack method? If I use Parameterized queries w/ binding of all

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Steven M. Christey
On Tue, 29 Apr 2008, Joe Teff wrote: If I use Parameterized queries w/ binding of all variables, I'm 100% immune to SQL Injection. Sure. You've protected one app and transferred risk to any other process/app that uses the data. If they use that data to create dynamic sql, then what?

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Pascal Meunier
If I understand this correctly, it's difficult to exploit because if you can alter database types, you probably can send arbitrary SQL statements to the database somehow already. In that case, what extra capabilities does this attack give you? When I design applications using Postgresql, I

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Arian J. Evans
So I'd like to pull this back to a few salient points. Weirdly, some folks seem quick to dismiss the paper with a didactic shot of folks shouldn't code that way anyway which has nothing to do with the subject. 1. I think everyone on SC-L gets the idea of strong patterns and implementations, and

[SC-L] Lateral SQL injection paper

2008-04-28 Thread Kenneth Van Wyk
Greetings SC-Lers, Things have been pretty quiet here on the SC-L list... I hope everyone saw David Litchfield's recent announcement of a new category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) He refers to this new category as

Re: [SC-L] Lateral SQL injection paper

2008-04-28 Thread Arian J. Evans
David's papers are always interesting, but I think the most interesting thing is that we are starting to see advanced SQL injection like his recent work on cursor attacks/snarfing being used in the wild in mass-SQL injection exploits. Attackers are using multiple layers of encoding for both

Re: [SC-L] Lateral SQL injection paper

2008-04-28 Thread Jim Manico
Anyone else have a take on this new attack method? If I use Parameterized queries w/ binding of all variables, I'm 100% immune to SQL Injection. In Java (for Insert/Update/etc) just use PreparedStatement + variable binding. There are similar constructs in all languages. Although the