[Webappsec] Automatically detecting injections

silky michaelslists at gmail.com
Mon Apr 28 23:31:38 EDT 2008 

On Tue, Apr 29, 2008 at 1:23 PM, Jeff Williams <jeff.williams at owasp.org> wrote:
> >>  I'm not trying to nitpick here, but I really don't consider this
>  injection.
>  >
>  > Well that's odd because it's _exactly_ injection, as all injection is
>  > is about context. Your previous email assumed a context that wasn't
>  > always true; it's the *classical* reason for bugs. Why would you
>  > continue with this line of reasoning? The point is that your
>  ? context-assumption was wrong. It's the reason broad statements like 'I
>  > am 100% secure' are totally irresponsible.
>
>  For the record, I never said, and would never say, that anyone is 100%
>  secure.

this is what you said:

quote jeff: "You can easily verify that an application with hundreds
of thousands of
lines of code doesn't have SQL injection in a matter of minutes. And you'd
be accurate"

That's as good as a 100% guarantee in my book. maybe others see if differently.


>  >>  To me, the core of any injection vulnerability is that the meaning of
>  the
>  >>  query or command is changed before it gets to the interpreter.  Here,
>  the
>  >>  meaning is unchanged.
>  >
>  > Eh? It's valid to have someone enter a SQL command via a website. Just
>  > because the code doesn't process it for sql commands doesn't mean they
>  > should. Your argument here is nonsense. The queries original context,
>  > if the context is to only execute the 'assumed' statement, as written
>  > by the coder, and not allow other statements to be injected, is
>  > broken. To pretend that it's not 'injection' is just plain weird.
>
>  I think there is a difference in the two types of vulnerabilities that's
>  worth distinguishing. On the one hand, changing the meaning of the query is
>  what I would call injection.  Changing a data value (in this case the
>  command to be exec'ed) to an unauthorized value is a validation problem.  It
>  makes a difference to the developer that has to fix the problem.

yes of course it's worth distinguishing, but it's still injection.
just at a different level.


>  > i'm a bit surprised to see 'owasp' taking that stance
>
>  Just my opinion as one of the many volunteer OWASP participants.

sure but you are also the owasp leader, are you not? sure it seems
appropriate for responsible statements to be coming from such a
leader. if i say something silly well people probably expect it, but
if you do it's surely given more weight.


>  --Jeff

-- 
http://lets.coozi.com.au/

More information about the Webappsec mailing list