[WEB SECURITY] SQL Smuggling: New methods of SQL Smuggling

MustLive mustlive at websecurity.com.ua
Mon Jan 31 11:45:07 EST 2011


Robert!

I hope everything is good with the list after move to new hosting ;-).

> You can test your payloads against the ModSecurity Core Rule Set here:

Josh!

Thanks for the link. But I never will be checking my bypass techniques on
own server of developers of the WAF :-) (as it must be clear from my
previous letter).

> You don't need the backend server to be vulnerable to SQLi

I always prefer to check bypass techniques in real environment, so
vulnerable web apps are required for that. And for some cases, especially
when the attack payload is complex enough (like in cases which I mentioned
in my article about Advanced methods of SQL Smuggling) it's very important
to have vulnerable web app at the site with WAF. So in case if WAF is
blocking some attack and I'm modifying request "on the fly" to bypass it,
to see both responses of site and WAF, i.e. not only to bypass WAF, but to
do it with valid SQL code which makes valid SQLi attack.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Josh Amishav-Zlatin" <josh at ramat.cc>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: "Michele Orru" <antisnatchor at gmail.com>; <websecurity at webappsec.org>
Sent: Wednesday, January 19, 2011 1:06 PM
Subject: Re: [WEB SECURITY] SQL Smuggling: New methods of SQL Smuggling


> On Tue, Jan 18, 2011 at 11:34:45PM +0200, MustLive wrote:
>>
>> Regarding SQL Injection, then I've bypassed some time ModSecurity for
>> SQLi
>> attacks (as with using methods mentioned in my series of articles about
>> SQL
>> Smuggling, as with using other methods which will not be made public).
>> Sometimes for full scale SQLi, sometimes for limited SQLi, but still
>> useful
>> for attacking purposes. I don't know about latest ModSecurity default
>> rules,
>> but you can give me a link to a site with such configuration and with SQL
>> Injection holes :-), and I'll check it and will tell if any of my
>
> Hi,
>
> You can test your payloads against the ModSecurity Core Rule Set here:
> http://www.modsecurity.org/demo/crs-demo.html
>
> You don't need the backend server to be vulnerable to SQLi, you only
> want to check if the CRS identifies your payloads as malicious or not.
>
> --
> - Josh






More information about the websecurity mailing list