[WEB SECURITY] SQL Injection through "name" field possible?

Michele Orru antisnatchor at gmail.com
Wed Feb 2 10:21:19 EST 2011


Canon mate.
Amit is the HTTP master :)
Take a look at response splitting and request smuggling attack vectors for example.
Antisnachor

Tasos Laskos <tasos.laskos at gmail.com> wrote:

>Foreigner here and Google returns a bunch of Amit Kleins.
><thick accent> Who is this Amit Klein you speak of?</thick accent>
>
>On 02/02/11 04:18, Arian J. Evans wrote:
>> To be fair, at first blush the casual reader could easily confuse the
>> content of this thread, transposing the question of testing Name=Value
>> for Value=Name.
>>
>> I, for one, am not the only lysdexic person on this list.
>>
>> In latter years I have learned we all benefit from channeling the
>> patient and benevolent persona of Amit Klein, :)
>>
>> ---
>> Arian Evans
>> Software Security Sophistry
>>
>>
>> On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos<tasos.laskos at gmail.com>  wrote:
>>> Sorry man but Little Boby's name would go in the value part of the form not
>>> the name. ;)
>>>
>>> On 02/02/11 01:40, Matthew Zimmerman wrote:
>>>>>
>>>>> Generally, SQL injection is possible with the "value" field in a HTML
>>>>> form.
>>>>> I was just wondering if it is practically possible through the "name"
>>>>> field as well.
>>>>
>>>> I'm actually a little ashamed of this entire list for not mentioning
>>>> this already.  Has no one heard of Little Bobby Tables?
>>>> http://xkcd.com/327/
>>>>
>>>> Matt Zimmeran
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>>
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>>
>>>
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>
>>
>
>
>_______________________________________________
>The Web Security Mailing List
>
>WebSecurity RSS Feed
>http://www.webappsec.org/rss/websecurity.rss
>
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>WASC on Twitter
>http://twitter.com/wascupdates
>
>websecurity at lists.webappsec.org
>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org


More information about the websecurity mailing list