[thelist] Need help with a simple regex (Monday annoyance)
Joshua Olson
joshua at waetech.com
Tue Apr 5 08:39:08 CDT 2005
> -----Original Message-----
> From: Ken Schaefer
> Sent: Tuesday, April 05, 2005 12:55 AM
> Why don't you ask them directly, rather than asking me. I'm a systems
> engineer, not a code security guru.
Ok, I will. I'll let you know how it goes! :-)
> Frankly, your attitude sounds to me just like those people
> who say "SQL
> Injection - prove it. Cross site scripting, prove it. Session
> hijacking -
> prove it". And for every example you give, they write up a little code
> snippet to nullify it.
The theories behind the complex SQL Injection theories would be better
served by supporting examples, and I'm sure that no adequate nullifying
example could ever exist. An absence of a supporting example, while not
nullifying a theory, definitely makes a theory less acceptable, at least in
my experience. There are, I'm sure, many knowledgeable security experts out
there... likewise, there are many "security experts". A little "scientific
theory"--create a hypothesis, then prove or disprove it--would go a long way
in separating the camps.
FWIW, I hope that we can find a viable example of this character encoding
SQL Injection technique that works in one of the major DB's and isn't
reliant on a particular middle-ware bug. I think it would really clear the
minds of myself plus any others who have followed these threads.
Lastly, the other things you mentioned (cross-site scripting, session
hijacking) do have publicly available example. :-)
<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com/service_areas/
706.210.0168
More information about the thelist
mailing list