Linux Today: Linux News On Internet Time.

Problems with Penetration Testing

Nov 10, 2008, 23:33 (1 Talkback[s])
(Other stories by Kenneth Van Wyk)

"A perfectly natural human response to this message is to retreat and patch the software to stop that SQL syntax from being injected into the Web application. The developers are likely to write some logic that goes like: if (SQL syntax is present in an input) disallow the input.

"Then, the pen test is repeated, the problem is resolved, and everyone is happy. Right? Wrong.

"The problem with this approach is that it is almost always a negative model, not a positive one. That is, the programmers will naturally be drawn to checking a “blacklist” of banned SQL syntax, and then disallowing the input. This type of negative validation can invariably be broken by a determined adversary."

Complete Story

Related Stories: