RE: Oracle SQL Injection vulnerability



Does that mean the site is vulnerable to SQL Injection? I tried ' OR 1=1--
and ' OR '1'='1'--
but I get same error message.

Yes, and as it stands, this is definitely a finding for your client
regardless of whether or not you are able to exploit it. But of course, you
want to exploit it both to make a credible argument to your client as well
as to feel cool.

I recommend Mavituna's Oracle SQL Injection Cheat Sheet:

http://ferruh.mavituna.com/makale/oracle-sql-injection-cheat-sheet/

PaulM



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Re: (Job) Web / COBOL developer position in Texas - Immediate Need!
    ... In this case, the rate really is DOE, and we will just present the ... posting, we plan to submit any qualified candidates, regardless of the ... and give the client the final say. ... > When posting to comp.lang.cobol please include a rate, or range of rates, ...
    (comp.lang.cobol)
  • Re: Outsourcing update
    ... Said the client did not even read the reports but if ... > Regardless of reason, ... > kind of an agreement with a client. ... > any MTSO would have the forethought to get a signed agreement that "if we ...
    (sci.med.transcription)
  • Re: Paging question
    ... All of it is being sent to the client, regardless of how many records you ... opt to show at any one time. ... Prev by Date: ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Windows Forms Control hosted on a WebForm?
    ... At the client, regardless of whether the server is just pushing out ... The same HTML ... Microsoft MVP - Windows Client ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: Outsourcing update
    ... Said the client did not even read the reports but if they ... Regardless of reason, ... any MTSO would have the forethought to get a signed agreement that "if we can't ...
    (sci.med.transcription)