tag:blogger.com,1999:blog-13756280.post2016462975364669772..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Twitters users angry about SQL Injection hacks on their websitesJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-13756280.post-60240079186598785932008-06-26T22:29:00.000-07:002008-06-26T22:29:00.000-07:00Rejoice! There is no crawl limit!The limit is a li...Rejoice! There is no crawl limit!<BR/><A HREF="http://www.memestreams.net/thread/bid39014/" REL="nofollow">The limit is a lie.</A>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43890248563254497662008-06-25T16:13:00.000-07:002008-06-25T16:13:00.000-07:00@Erwin, I agree. I think the webappsec industry's ...@Erwin, I agree. I think the webappsec industry's slammer/blaster is upon us. Could happen at any moment.<BR/><BR/>@matt, do ya blame them really though? I mean, so much conflicting information out there, really hard for them to sort through it all.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-13496584197164346732008-06-25T06:15:00.000-07:002008-06-25T06:15:00.000-07:00I love how some of the twitter users think the sol...I love how some of the twitter users think the solution is sanitation while it is actually validation and parametrization. Oh well, maybe they will learn.Matt Pressonhttps://www.blogger.com/profile/02537815584811632732noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6816038840963872422008-06-25T06:12:00.000-07:002008-06-25T06:12:00.000-07:00If you Google for m.js filetype:.aspx you will see...If you Google for m.js filetype:.aspx you will see that there are already aspx sites infected.<BR/><BR/>People need help asap. <BR/><BR/>It's a good thing that tools are out there and best practices on fixing it, but I have a flashback of the I Love You virus. <BR/><BR/>This is the beginning of a new decade in web application securityErwin Geirnaerthttps://www.blogger.com/profile/06369526872794527942noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-55134780259493097102008-06-24T16:13:00.000-07:002008-06-24T16:13:00.000-07:00Lol, pwned.Lol, pwned.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-7780898386421735882008-06-24T12:54:00.000-07:002008-06-24T12:54:00.000-07:00Oh I dunno about that, whoever developed this payl...Oh I dunno about that, whoever developed this payload is definitely no noob. <BR/>http://isc.sans.org/diary.html?storyid=4565<BR/><BR/> Payload aside, I was more talking about the 1,500 page count limit. Unless your vulnerable webapp is within those URLs, well, your outta luck I guess. And its tough to compete with the crawling capabilities of Google since that essentially what's being used for target list acquisition. <BR/><BR/>Don't get me wrong, I'm not saying you should be giving anything more away from free, it just is what it is.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60104052605968814952008-06-24T12:45:00.000-07:002008-06-24T12:45:00.000-07:00Scrawlr is limited. However research has shown tha...<A HREF="http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/24/finding-sql-injection-with-scrawlr.aspx" REL="nofollow">Scrawlr</A> is limited. However <A HREF="http://www.secureworks.com/research/threats/danmecasprox/?threat=danmecasprox" REL="nofollow">research</A> has shown that the SQL Injection bots are not very sophisticated. i.e. Only targeting ASP pages, only auditing parameters found in requests using the GET verb. <BR/><BR/>Of course there are ways of doing more comprehensive testing for SQL Injection. I'm sure followers of your blog can attest to that.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6115861602139176302008-06-24T12:23:00.000-07:002008-06-24T12:23:00.000-07:00Odd, based on the licensing restrictions, Scrawl b...Odd, based on the licensing restrictions, Scrawl basically seems unusable. Maybe for like a REALLY small online store or something...<BR/><BR/> * Will only crawls up to 1500 pages<BR/> * Does not support sites requiring authentication<BR/> * Does not perform Blind SQL injection<BR/> * Cannot retrieve database contents<BR/> * Does not support JavaScript or flash parsing<BR/> * Will not test forms for SQL Injection (POST Parameters)"Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-82433596017050121222008-06-24T12:15:00.000-07:002008-06-24T12:15:00.000-07:00To all those angry twitter users: Find the SQL Inj...To all those angry twitter users: Find the SQL Injection before the bot finds it for you. Check out http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/24/finding-sql-injection-with-scrawlr.aspxAnonymousnoreply@blogger.com