Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

ISSA "Security conference"

  1. Home
  2. Forum
  3. Off Topic
  4. ISSA "Security conference"

ghost's Avatar

ghost

0 0

Alright, I"m sitting here in an ISSA conference and we have a speaker talking about "Mass injection through SQL Injections."

So far I have not been impressed at all. We have a google dork finding vulnerable SQL injection attacks.

1.) He does not distinct between regular sql injections from blind sql injections. Nor does he know the simple markup' OR '1'='1--. Someone who doesn't understand how a sql injection like this works, shouldn't be giving a presentation on such attacks.

2.) His understanding of blind sql injection is that through the vulnerability, an attacker uploads malicious javascript. You can tell that his company, Pandasecurity, is trying to spread as much information about malware as possible. His bias stands in the way of spreading correct information about attackers.

3.) Someone asked the question, "Is there a way to know if we are on a spoofed page?" (talking about phishing) Well, his answer is, "Check the URL." Mentioning nothing about the difference between remote and local attacks.

4.) He believes these blind sql injections to be based off of the web server software (IIS, Apache). Not actually off of the version and type of SQL that they are using.

5.) His "fixing" never actually mentions sanitizing the input. He talks about the SQL worm that was talked about at, Defcon 15 (I believe). He just talks about removing that injected information, but not actually fixing the original problem.

6.) Before when I mentioned he had trouble differentiating between sql injections and blind sql injections, it was much worse than I thought.

—––We've broke out of sql injections here and entered into the realm of XSS——— 1.) URL encoding the injection. Now, I'm not talking about encoding URL illegal characters, such as + in %2B. I'm talking about encoding the entire query into URL hexadecimal.

––––Entering back into sql injection—— 1.) His form of "securing" was to translate all characters into varchar. Now, this would work if the attacker didn't have access to sql functions. Which would be able to end this form of security. He basically gave a group of people some bad code for securing it. No wonder why so many websites are being vulnerable to such attacks when bad coding practices are being presented by "security researchers."


ghost's Avatar

ghost

0 0

Well are there going to be any competent speakers at this convention?


ghost's Avatar

ghost

0 0

Nope, that was the only speaker. Had a lot of fun with the people and the after questions at this little convention.

Someone swears by the, "hackersafe," as a means of protection. Seeing as the talker was talking about sql injection and XSS, I asked him what he thought about rSnake and the people at slackers finding numerous XSS exploits in these "Hackersafe" certified sites. He didn't say anything. Then I had a talk with a couple security professionals after the speaker and we all had a big laugh with the severe vulnerabilities they found in these "Hackersafe" certified sites.

After this conference, which lasted a good hour and a half, there was the Arizona security practicioners group meeting. Now, this one was interesting. We had a person who worked at Dementia and was bought out by VMWare a while ago. He talked about virtualization security and what VMWare is doing, specifically, to advance and create a more secure virtual environment. This was a very good talk and I have to say I'm excited about the future of VMWare. They made it so that a virtualized layer covers the guest operating system. Meaning everything passes through this layer before hitting the Guest OS. So, if you virtualized Vista and had someone try to exploit Vista's failed attempt at memory protection, the virtualized layer will protect you against the vulnerability. Interesting stuff.


Uber0n's Avatar

Uber0n

Member
0 0

nights_shadow wrote: 1.) He does not distinct between regular sql injections from blind sql injections. Nor does he know the simple markup' OR '1'='1--. Someone who doesn't understand how a sql injection like this works, shouldn't be giving a presentation on such attacks. Shouldn't it be markup' OR '1'='1'-- or possibly markup' OR '1'='1:right:


ghost's Avatar

ghost

0 0

Uber0n wrote: [quote]nights_shadow wrote: 1.) He does not distinct between regular sql injections from blind sql injections. Nor does he know the simple markup' OR '1'='1--. Someone who doesn't understand how a sql injection like this works, shouldn't be giving a presentation on such attacks. Shouldn't it be markup' OR '1'='1'-- or possibly markup' OR '1'='1:right:[/quote]

Well, there's many different ways of doing a basic sql injection. The way I wrote has been working for me, so I see no problem with it. It's not like there's only x amount of ways to do this. I mean, you got so many variations depending on how the query is structured. Apostrophes, quotes, parenthesis, etc.

Edit: here's even more basic injections for you to enjoy:

    admin' --
    admin' #
    admin'/*
    ' or 1=1--
    ' or 1=1#
    ' or 1=1/*
    ') or '1'='1--
    ') or ('1'='1--```