[24057] in bugtraq
New SQL Injection Whitepaper
daemon@ATHENA.MIT.EDU (Chris Anley)
Thu Jan 31 16:12:18 2002
Message-ID: <003301c1aa6d$4d485df0$4201010a@kodiak>
From: "Chris Anley" <chris@ngssoftware.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 31 Jan 2002 15:37:42 -0000
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hi folks,
I've just completed a Microsoft SQL Server 'injection' whitepaper, that can
be downloaded from
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
At least half of the sites I've audited have been vulnerable to some form of
SQL injection; I think it's important that people fully understand the
issues.
The paper contains information on a variety of attacks, including
second-order SQL injection, automation scripts and audit evasion. It also
discusses input validation and (briefly) secure builds. The intention is to
raise awareness of the rich variety of SQL injection attacks, in order to
encourage people to fix these issues in their applications.
Cheers,
-chris.
