lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 21 Feb 2006 10:18:03 -0500
From: "Angelos D. Keromytis" <angelos@...columbia.edu>
To: Crispin Cowan <crispin@...ell.com>
Cc: Cristian Stoica <security@...cms.biz>, unsecure@...teme.com,
	bugtraq@...urityfocus.com, pen-test@...urityfocus.com
Subject: Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit


A better citation is:

  @inproceedings{boyd2004acns,
   author = "Stephen W. Boyd and Angelos D. Keromytis",
   title = {{SQLrand: Preventing SQL Injection Attacks}},
   booktitle = "Applied Cryptography and Network Security (ACNS)",
   year = "2004",
   month = "June",
   pages = {292--302}
}

Also available form
  http://www.cs.columbia.edu/~angelos/Papers/sqlrand.pdf

There are also a couple of papers on static and dynamic analysis of SQL 
queries (I don't have a citation handy at the moment).
-Angelos

Crispin Cowan wrote:
> Cristian Stoica wrote:
>>    I have a question:
>>    If you use an ecryption algorithm to store/get data into/from the
>> database you will not be able to do SQL injections ?
>>    With a simple encryption algorithm, I do with php explode,
>> transform the string into an array and run the algorithm on each
>> member of the array.
> There are actually several papers on this idea by Angelos Keromytis and
> his students & colleagues:
> 
> @inproceedings
>   (
>     kc03,
>     author = "Gaurav S. Kc and Angelos D. Keromytis and Vassilis
> Prevelakis",
>     title = "{Countering Code Injection Attacks With Instruction Set
>             Randomization}",
>     booktitle = "Proceedings of the 10th ACM Conference on Computer and
>     Communications Security (CCS 2003)",
>     address = "Washington, DC",
>     month = "October",
>     year = 2003,
>   )
> 
> Crispin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ