[ OWASP - Montreal ] Does all sql injection vuln. leads to exploitation?

Martin Verreault mverreault at gmail.com
Thu Apr 2 23:40:37 EDT 2009


Hello Gueb,

It depends on your definition of "exploitable" and "success".

A vulnerability can be exploited, but there could be mitigating
factors (i.e. security controls) that could lead to very small gains
from an attacker point of view. For example, if the database user has
very limited rights and an sql injection vulnerability is exploited,
the attacker might not find what he was looking for.

I hope this answer your question!

-Martin Verreault





On Thu, Apr 2, 2009 at 11:04 PM, gueb at owasp.org <gueb at owasp.org> wrote:
> Hi!
>
> Do you think that all sql injections vulnerabilities are exploitable?
> Do you have an
> example of a non-exploitable sql injection vulnerability?
>
> Cracking a password in brute force mode is only a question of time (in
> general), but:
>
> exploiting a sql injection, is it also a question of time, so when you
> find one, all time spent is an investment that will lead to success?
>
> Thanks!
> _______________________________________________
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>


More information about the Owasp-montreal mailing list