![[SJF Logo]](/images/unixwiz-logo-140x80.gif){kind=logo}
« November 2004 | Main | January 2005 »
December 27, 2004
Tech Tip: SQL Injection Attacks by Example
I recently did a penetration test for a customer, and for the first time was able to really go to town with SQL Injection to leverage access to a web application. SQL Injection is providing bogus input to a web form and getting my own input data treated as SQL, and it only works when the application does not properly sanitize input forms (sadly, a common malady).
The process was pretty interesting to me, and on the chance it might be to others, I wrote a Tech Tips that detailed the steps I took to gradually work my way inside.
Unixwiz.net Tech Tip: SQL Injection Attacks by Example
Posted by steve at 05:41 PM | Comments (2) | TrackBack
December 19, 2004
Spam blacklists as denial-of-service attacks?
I'm a big believer in spam blocklists - I use several myself - as well as other proactive efforts to limit spam. This is a really big problem, and there is inevitable collateral damage too, but a new one is emerging: blacklisting email forwarders.
AOL members can mark any email as spam, and this black mark gets attached to - among other things - the source IP address. If too much "spam" comes from one IP address, it can get blacklisted for a time. For direct injection or open-relay spam, this is fine, but what about email that is merely forwarded through a mail server at the user's request?
I host a small number of email accounts on my servers, with a few being forwarded elsewhere. If these go to AOL accounts and are reported as spam, it gets credited to my server. Eventually my server could get blacklisted, and I've not done anything even remotely wrong.
This hasn't happened to me, but it does happen to others: at one email forwarder I know of positively forbids any forwarded email from being reported to Spamcop (which apparently considers the last IP address in the header as the "source", much like AOL does). They have been blacklisted several times, and they will now cancel the accounts of anybody who does reports them.
I guess the moral of the story is to be careful how you're reporting spam: if you're forwarding email through somebody else's server, improper spam reporting can very well lead to the whole server being considered "a spam source" (it's not hard to construct a denial-of-service attack on this basis).
Posted by steve at 05:38 PM | Comments (0) | TrackBack
December 02, 2004
Good food with an unappetizing name
While grocery shopping the other day I ran into these little Japanese snacks: they're tasty, but they really ought to re-brand them for the U.S. Market...
Posted by steve at 04:21 PM | Comments (0) | TrackBack