Comments on: SQL Injection: Sleeping Giant http://michaeldaw.org/news/sql-injection-sleeping-giant Weekly humour Thu, 07 May 2009 20:09:50 +0000 http://wordpress.org/?v= hourly 1 By: Wooshy http://michaeldaw.org/news/sql-injection-sleeping-giant/comment-page-1#comment-12658 Wooshy Tue, 13 Mar 2007 20:45:32 +0000 http://michaeldaw.org/news/sql-injection-sleeping-giant/#comment-12658 I'd agree with David that won't take too long to find a XSS vulnerability. The low-hanging fruit here is to look for something that will echo back what you put in. All you need is some HTML knowledge. Release it to bugtraq (usually without telling the script author) and job done. Filtering evasion... That's part of the challenge. There is a limited set of characters that you want to check to see if it is filter properly or not? (e.g. tags, quotes, apostrophes...) SQL Injection is not so easy. Generally, you do need to know some SQL before you can start SQL injection and I think that's the point Dave is trying to make. There's a lot more attack vectors, you can try once you can put your foot in the door with some blind SQL injection. e.g. attempting to access system tables, selecting data from a table, escalate privileges if possible. That sounds a bit more interesting... I’d agree with David that won’t take too long to find a XSS vulnerability. The low-hanging fruit here is to look for something that will echo back what you put in. All you need is some HTML knowledge. Release it to bugtraq (usually without telling the script author) and job done. Filtering evasion… That’s part of the challenge. There is a limited set of characters that you want to check to see if it is filter properly or not? (e.g. tags, quotes, apostrophes…)

SQL Injection is not so easy. Generally, you do need to know some SQL before you can start SQL injection and I think that’s the point Dave is trying to make. There’s a lot more attack vectors, you can try once you can put your foot in the door with some blind SQL injection. e.g. attempting to access system tables, selecting data from a table, escalate privileges if possible. That sounds a bit more interesting…

]]> By: kuza55 http://michaeldaw.org/news/sql-injection-sleeping-giant/comment-page-1#comment-12068 kuza55 Fri, 09 Mar 2007 23:45:17 +0000 http://michaeldaw.org/news/sql-injection-sleeping-giant/#comment-12068 I don't agree with your analysis of why XSS gets more attention. I don't think its because its so easy to exploit, I think its because there are many more interesting things to do, and because there is so much more to discover. With SQL, barring encoding issues, you either escape things or you don't. With XSS, we are generally more interested in filter evasion, rather than finding a website which echoes our html right back. There is no such thing as an SQL Injection filter which allows users to enter some SQL commands, but tries to stop them executing others. Furthermore with SQL it is perfectly clear where things need to be escaped, with XSS, even that is not a certainty, especially if you consider the FindMimeFromData issues in IE. And besides hashing data, etc, there is not much you can do in terms of defence in depth, whereas to prevent XSS you can. I don’t agree with your analysis of why XSS gets more attention. I don’t think its because its so easy to exploit, I think its because there are many more interesting things to do, and because there is so much more to discover.

With SQL, barring encoding issues, you either escape things or you don’t.

With XSS, we are generally more interested in filter evasion, rather than finding a website which echoes our html right back. There is no such thing as an SQL Injection filter which allows users to enter some SQL commands, but tries to stop them executing others.

Furthermore with SQL it is perfectly clear where things need to be escaped, with XSS, even that is not a certainty, especially if you consider the FindMimeFromData issues in IE.

And besides hashing data, etc, there is not much you can do in terms of defence in depth, whereas to prevent XSS you can.

]]> By: pdp http://michaeldaw.org/news/sql-injection-sleeping-giant/comment-page-1#comment-12012 pdp Fri, 09 Mar 2007 16:17:16 +0000 http://michaeldaw.org/news/sql-injection-sleeping-giant/#comment-12012 I don't quite agree. XSS can be as complicated as SQL Injection and sometimes even more. Both types of vulnerabilities are easy to find. However, both of them require some expertise to exploit them. I don’t quite agree. XSS can be as complicated as SQL Injection and sometimes even more. Both types of vulnerabilities are easy to find. However, both of them require some expertise to exploit them.

]]>