Incorrectly filtered escape characters
This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This results in the potential manipulation of the statements performed on the database by the end user of the application.
The following line of code illustrates this vulnerability:
statement := “SELECT * FROM users WHERE name = ‘” + userName + ‘;”
If the “userName” variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the “userName” variable as a’ or ‘t’='t
renders this SQL statement by the parent language: (more…)
Database
Share This
It may sound strange, but we don’t have even a single article of OUR OWN organization on OUR OWN blog site. As the saying goes, Better late than never, we have finally created a category which caters to SCG issues.
The 8th SCG meeting had the following participants
1. Prof. Nirja Mattoo
2. Nitin Kaul
3. Biju Krishnan
4. Me (Nikhil) (more…)
Chapter Meetings, India, Meeting, Mumbai SCG
Share This
Metasploit announced the immediate free availability of the Metasploit Framework version 3.0 from http://framework.metasploit.com/.
The Metasploit Framework (”Metasploit”) is a development platform for creating security tools and exploits. Version 3.0 contains 177 exploits 104 payloads 17 encoders and 3 nop modules. Additionally 30 auxiliary modules are included that perform a wide range of tasks including host discovery protocol fuzzing and denial of service testing.
Metasploit is network security professionals favourite tool to perform penetration tests, system administrators to verify patch installations product.
there is a Metasploit framework module to test the Windows Vista ANI vulnerability too 
More about the ANI vulnerability or Blue Jacking in the next post.
Internet Security, Metasploit, Metasploit 3.0, Penetration Tests Security
Share This