From: Edy (email@edylie.net)
Date: Mon Jan 23 2006 - 21:31:26 EST
Hi,
I am wondering if anyone has deployed a commercial WFA to prevent common
attacks(XSS, SQL Injection and etc) on the web application?
Cheers,
-e
dork@gmx.at wrote:
>On Wednesday 18 January 2006 21:13, John Madden wrote:
>
>
>>Hi,
>>
>>I'm pentesting a web site and i get the following
>>error message while using a single quote: ex.
>>/confirm.php?conf='test123
>>
>>
>
>as stated by others, "' OR 1=1" can be better - if the output only fetches
>one single line, you might try appending LIMIT too for stepping through the
>resultset.
>
>
>
>>Warning: mysql_fetch_row(): supplied argument is not a
>>valid MySQL result resource in /xx/xx/confirm.php on
>>line 5
>>
>>
>
>display errors is one thing, a missing clause another. if the statement
>execution returns false, the script should not get there.
>
>
>
>>I've looked up the error and attemped numerous
>>variations like '1==1; etc... but i always get the
>>same error.
>>
>>As anyone been succesful in getting information this
>>way ? If so how?
>>
>>And how do we fix this vulnerability ? Besides the PHP
>>code itself (sanitize user input), is it a PHP setting
>>(php.ini) ?
>>
>>
>
>the possibly best way would be using prepared statements, depending on the
>versions of mysql & php.
>if you only fill in values to prepared variables, no input can break out -
>at least not because of your script. it does not mean that you don't have to
>stay careful, but normal queries can be considered being "safe" then.
>
>ad php.ini setting: in theory, magic quotes could help. but input validation
>is more accurate, leads to less overhead and keeping them off makes it
>easier to keep your application portable. for this and other reasons, there
>are plans to discontinue this feature in future (see
>http://www.php.net/~derick/meeting-notes.html#magic-quotes ).
>
>to validate your input, there is a new and convenient way within the php
>core distribution since 5.1.1, older versions can retrieve it via pecl:
>http://pecl.php.net/package/filter
>
>in other special cases, you could use preg definition arrays too:
><?php
>$checks = Array(
> 'tab' => '%^\t$%',
> 'str' => '%^[a-d0-6]{4}$%i');
>foreach($checks As $field=>$regex) {
> if(isset($_GET[$field])) {
> if(!preg_match($regex,$_GET[$field])) {
> // error handling wrong input, default, output, whatever
> }
>// paranoid part __start__
> else {
> $internal[$field] = $_GET[$field];
> }
>// paranoid part __stop__
> } else {
> // error handling obligatory field not set - default, output, whatever
> }
>}
>?>
>usage of regex arrays on "simple" input has rather poor performance in
>comparison to typecasts, ctype, is_numeric, common range checks and (most,
>not all) string operations.
>the paranoid part can be left out, if your error handling is restrictive
>enough and you are sure for having checked any variable you actually use
>
>but since both of us are reading and posting in this list - *hmm* maybe..
>ok, we are paranoid :)
>
>
>
>>Thanks for your help
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Tired of spam? Yahoo! Mail has the best spam protection around
>>http://mail.yahoo.com
>>
>>
>>
>
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:24 EDT