From: DokFLeed (dokfleed@dokfleed.net)
Date: Fri Jun 10 2005 - 07:13:23 EDT
there was a CGI Shield once http://cgishield.com/ ,
I am not sure what happened to the Author, domain is for sale, so I tried
to go on with the Project for more than a year
It stops web Attacks, including SQL injections
"IRax, is a PHP Gateway, it can be integrated in any Web Application to stop
known atax.
it prevents,SQL injections, XSS, and many other known atax. It depends
mainly on PHP CLIENT/SERVER socket scripting "
http://www.dokfleed.net/irax/
its signature based,
* signature file is separated
* exceptions pages & fields are allowed
* reporting templates built-in
* faster interception engine
* recoded reporting server
All contributions are welcomed,
DokFLeed
----- Original Message -----
From: "Hernán M. Racciatti" <hracciatti@gmail.com>
To: <pen-test@securityfocus.com>
Sent: Friday, June 10, 2005 10:40 PM
Subject: Re: SQL injection
On 6/10/05, Leandro Reox <lmet5on@fibertel.com.ar> wrote:
> Like Todd says "nothing is 100% secure"
Is the real life...
> so wellcoded web apps + good sigs
> based detections + good db diagramming + a lot of conscience makes a nice
> combo.
I agree, but I would add one or two additional items: security in
depth and less privileges...
p.d: In SQL Injection tactics, evasion OFTEN is possible ej:
'OR 1=1--
'OR1=1--
'or2>1--
%27%4f%52%20%31%3d%31%2d%2d
%27%4f%52%20'a'=N'a'
etc...
Config n signatures is theoretically possible, but not in practical terms...
Clean code is the only last defense..
My 2 cent.
Bye.
-- Hernán Marcelo Racciatti Core Team Member ISECOM (Institute for Security and Open Methodologies) Coordinator OISSG, Argentina (Open Information System Security Group) [mailto:hracciatti@gmail.com] [http://www.hernanracciatti.com.ar]
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT