[ OWASP - Montreal ] Does all sql injection vuln. leads to exploitation?

Sébastien Duquette ekse.0x at gmail.com
Fri Apr 3 08:27:52 EDT 2009


In fact this question applies to every technique. Like Martin said,
you need to determine what this vulnerability allows you to do and
sometimes it won't allow you much so won't be able to "exploit" it.
That being said, if such a vulnerability is found it should be fixed
because new techniques are constantly arising and changes in future
updates of the software you are attacking might make that
vulnerability exploitable.

Hope that helped.

Sebastien

On Thu, Apr 2, 2009 at 11:40 PM, Martin Verreault <mverreault at gmail.com> wrote:
> Hello Gueb,
>
> It depends on your definition of "exploitable" and "success".
>
> A vulnerability can be exploited, but there could be mitigating
> factors (i.e. security controls) that could lead to very small gains
> from an attacker point of view. For example, if the database user has
> very limited rights and an sql injection vulnerability is exploited,
> the attacker might not find what he was looking for.
>
> I hope this answer your question!
>
> -Martin Verreault
>
>
>
>
>
> On Thu, Apr 2, 2009 at 11:04 PM, gueb at owasp.org <gueb at owasp.org> wrote:
>> Hi!
>>
>> Do you think that all sql injections vulnerabilities are exploitable?
>> Do you have an
>> example of a non-exploitable sql injection vulnerability?
>>
>> Cracking a password in brute force mode is only a question of time (in
>> general), but:
>>
>> exploiting a sql injection, is it also a question of time, so when you
>> find one, all time spent is an investment that will lead to success?
>>
>> Thanks!
>> _______________________________________________
>> Owasp-montreal mailing list
>> Owasp-montreal at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>>
> _______________________________________________
> Owasp-montreal mailing list
> Owasp-montreal at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-montreal
>


More information about the Owasp-montreal mailing list