Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

PDC Security Symposium

Thursday, October 30, 2003 Comments

 .NET  Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook   

Tim Sneath has posted several excellent articles/notes from the PDC Security Symposium held today.  He may post more, but at this point, here are his notes:

SECSYM: Security Symposium I, SECSYM: Security Symposium II, SECSYM: Security Symposium III, SECSYM: Security Symposium IV, SECSYM: Security Symposium V, SECSYM: Security Symposium VI

Out of these, what struck me intially, was the note from V above:

The SQL Server security lead developer demonstrated a black hat tool circulating on the Internet that utilises a SQL injection vulnerability to expose access to the full underlying database server, allowing query of any other table on that system or any linked server for which a web application has access. He demonstrated how a simple ASP.NET page query with a filter textbox could be used to reveal all the credit card details stored in another table in the database.

This kind of application demonstrates how the maturity of attacks is increasing. It's even more important than ever before to lock down the user accounts used and perform threat modelling and penetration testing against SQL injection attacks.

Makes posts of mine like this one and this one all the more relevant.

Update:  According to Don Kiely, the tool mentioned above is Data Thief, a proof of concept (free) tool from Application Security, Inc.

Share:   Share on LinkedIn    Share on Twitter    Share on Google+    Share on Facebook