Re: [WEB SECURITY] SQL Injection through "name" field possible?
Canon mate.
Amit is the HTTP master :)
Take a look at response splitting and request smuggling attack vectors for example.
Antisnachor
Tasos Laskos tasos.laskos@gmail.com wrote:
Foreigner here and Google returns a bunch of Amit Kleins.
<thick accent> Who is this Amit Klein you speak of?</thick accent>
On 02/02/11 04:18, Arian J. Evans wrote:
To be fair, at first blush the casual reader could easily confuse the
content of this thread, transposing the question of testing Name=Value
for Value=Name.
I, for one, am not the only lysdexic person on this list.
In latter years I have learned we all benefit from channeling the
patient and benevolent persona of Amit Klein, :)
Arian Evans
Software Security Sophistry
On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskostasos.laskos@gmail.com wrote:
Sorry man but Little Boby's name would go in the value part of the form not
the name. ;)
On 02/02/11 01:40, Matthew Zimmerman wrote:
Generally, SQL injection is possible with the "value" field in a HTML
form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Take a Look at 2004 whitepaper written by Amit Klein :-
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
Joseph D'costa
From: websecurity-bounces@lists.webappsec.org [websecurity-bounces@lists.webappsec.org] On Behalf Of Michele Orru [antisnatchor@gmail.com]
Sent: Wednesday, February 02, 2011 8:51 PM
To: Tasos Laskos; Arian J. Evans
Cc: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] SQL Injection through "name" field possible?
Canon mate.
Amit is the HTTP master :)
Take a look at response splitting and request smuggling attack vectors for example.
Antisnachor
Tasos Laskos tasos.laskos@gmail.com wrote:
Foreigner here and Google returns a bunch of Amit Kleins.
<thick accent> Who is this Amit Klein you speak of?</thick accent>
On 02/02/11 04:18, Arian J. Evans wrote:
To be fair, at first blush the casual reader could easily confuse the
content of this thread, transposing the question of testing Name=Value
for Value=Name.
I, for one, am not the only lysdexic person on this list.
In latter years I have learned we all benefit from channeling the
patient and benevolent persona of Amit Klein, :)
Arian Evans
Software Security Sophistry
On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskostasos.laskos@gmail.com wrote:
Sorry man but Little Boby's name would go in the value part of the form not
the name. ;)
On 02/02/11 01:40, Matthew Zimmerman wrote:
Generally, SQL injection is possible with the "value" field in a HTML
form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
This e-mail message may contain confidential, proprietary or legally privileged information. It should not be used by anyone who is not the original intended recipient.If you have erroneously received this message, please delete it immediately and notify the sender. The recipient acknowledges that 3i Infotech or its subsidiaries and associated companies, (collectively "3i Infotech"), are unable to exercise control or ensure or guarantee the integrity of/over the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of 3i Infotech. Before opening any attachments please check them for viruses and defects.