[WEB SECURITY] SQL Injection through "name" field possible?

JOSEPH D'COSTA joseph.dcosta at 3i-infotech.com
Thu Feb 3 00:05:49 EST 2011


Take a Look at 2004 whitepaper written by Amit Klein :- 
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf

Joseph D'costa
__________________________________________________________________________________________
From: websecurity-bounces at lists.webappsec.org [websecurity-bounces at lists.webappsec.org] On Behalf Of Michele Orru [antisnatchor at gmail.com]
Sent: Wednesday, February 02, 2011 8:51 PM
To: Tasos Laskos; Arian J. Evans
Cc: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] SQL Injection through "name" field possible?

Canon mate.
Amit is the HTTP master :)
Take a look at response splitting and request smuggling attack vectors for example.
Antisnachor

Tasos Laskos <tasos.laskos at gmail.com> wrote:

>Foreigner here and Google returns a bunch of Amit Kleins.
><thick accent> Who is this Amit Klein you speak of?</thick accent>
>
>On 02/02/11 04:18, Arian J. Evans wrote:
>> To be fair, at first blush the casual reader could easily confuse the
>> content of this thread, transposing the question of testing Name=Value
>> for Value=Name.
>>
>> I, for one, am not the only lysdexic person on this list.
>>
>> In latter years I have learned we all benefit from channeling the
>> patient and benevolent persona of Amit Klein, :)
>>
>> ---
>> Arian Evans
>> Software Security Sophistry
>>
>>
>> On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos<tasos.laskos at gmail.com>  wrote:
>>> Sorry man but Little Boby's name would go in the value part of the form not
>>> the name. ;)
>>>
>>> On 02/02/11 01:40, Matthew Zimmerman wrote:
>>>>>
>>>>> Generally, SQL injection is possible with the "value" field in a HTML
>>>>> form.
>>>>> I was just wondering if it is practically possible through the "name"
>>>>> field as well.
>>>>
>>>> I'm actually a little ashamed of this entire list for not mentioning
>>>> this already.  Has no one heard of Little Bobby Tables?
>>>> http://xkcd.com/327/
>>>>
>>>> Matt Zimmeran
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>>
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>>
>>>
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>
>>
>
>
>_______________________________________________
>The Web Security Mailing List
>
>WebSecurity RSS Feed
>http://www.webappsec.org/rss/websecurity.rss
>
>Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>WASC on Twitter
>http://twitter.com/wascupdates
>
>websecurity at lists.webappsec.org
>http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

---
This e-mail message may contain confidential, proprietary or legally privileged information. It should not be used by anyone who is not the original intended recipient.If you have erroneously received this message, please delete it immediately and notify the sender. The recipient acknowledges that 3i Infotech or its subsidiaries and  associated companies, (collectively "3i Infotech"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of 3i Infotech. Before opening any attachments please check them for viruses and defects.





More information about the websecurity mailing list