RE: Pen-testing AS400 DB2 LANSA

From: Amichai Shulman (shulman@imperva.com)
Date: Wed Jun 22 2005 - 03:32:31 EDT

• Next message: Noname: "Re: extracting passwords from ethereal dump"
• Previous message: Chris Byrd: "Re: Risks associated to branch office IPSec devices"
• Maybe in reply to: eoin.keary@owasp.org: "Pen-testing AS400 DB2 LANSA"
• Next in thread: Eoin Keary: "RE: Pen-testing AS400 DB2 LANSA"
• Reply: Eoin Keary: "RE: Pen-testing AS400 DB2 LANSA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We did a pen-test on a web application a while ago that used DB2 on
AS400 as backend database. Found SQL injection to work much like with
any other database. Interesting thing though was that we invoked a
denial-of-service attack against the AS400 by injecting a computation
intensive query.

Amichai Shulman
CTO

Imperva, Inc.
12 Hachilazon St.
Ramat Gan

(972)-3-6120133 x103 Office
(972)-3-7511133 Fax
(972)-50-6544451 Mobile
shulman@imperva.com

-----Original Message-----
From: eoin.keary@owasp.org [mailto:eoin.keary@owasp.org]
Sent: Wednesday, June 15, 2005 3:34 PM
To: pen-test@securityfocus.com
Subject: Pen-testing AS400 DB2 LANSA

Hi,
anyone have any knowledge on SQL injection for a AS400 running DB2?

Eoin

• Next message: Noname: "Re: extracting passwords from ethereal dump"
• Previous message: Chris Byrd: "Re: Risks associated to branch office IPSec devices"
• Maybe in reply to: eoin.keary@owasp.org: "Pen-testing AS400 DB2 LANSA"
• Next in thread: Eoin Keary: "RE: Pen-testing AS400 DB2 LANSA"
• Reply: Eoin Keary: "RE: Pen-testing AS400 DB2 LANSA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:27 EDT