lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat Apr 23 13:20:09 2005
From: mohit.muthanna at gmail.com (Mohit Muthanna)
Subject: FW: Introducing a new generic approach to
	detecting SQL injection

>      What is intriguing me about it is that it is a different way of
> approaching the problem of untrusted user input, one that uses the
> strengths of the dbms itself rather than relying on code written on a
> layer above the dbms to send safe data to the dbms.  

True... it is novel. My guess is that it opens up a really big can of worms.

>    Because we are not talking about an attacker on a psql console, we
> are talking about an attacker passing characters through an interface
> layer that might be using different rules than the PostgreSQL
> parser. If I can encode' as a multibyte character in a way that the
> layer which is doing the escaping does not recognize it as a '
> character, but the PostgreSQL parser does, then I can bypass your

I wasn't talking about the console either. But I see your point about
weaknesses in the validation mechanisms of other interface layers
adding an element of uncertainty. I'd like to add that in this case,
prepared statements (or very restrictive regular expressions) would be
invaluable.


> attacks in the same way that it does.  One form of attack I see that it
> won't recognise is a valid clause that extends the scope of the result
> set without invoking the name of a entity in the database: "' and 1=1
> and 1='"

Yes. This is just one worm from the can. :-)

>      I have learned to worry when some piece of security seems easy....
>  :)

With good reason.

Mohit.

-- 
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ