RE: Oracle SQL Injection vulnerability



Does that mean the site is vulnerable to SQL Injection? I tried ' OR 1=1--
and ' OR '1'='1'--
but I get same error message.

Yes, and as it stands, this is definitely a finding for your client
regardless of whether or not you are able to exploit it. But of course, you
want to exploit it both to make a credible argument to your client as well
as to feel cool.

I recommend Mavituna's Oracle SQL Injection Cheat Sheet:

http://ferruh.mavituna.com/makale/oracle-sql-injection-cheat-sheet/

PaulM



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Re: (Job) Web / COBOL developer position in Texas - Immediate Need!
    ... In this case, the rate really is DOE, and we will just present the ... posting, we plan to submit any qualified candidates, regardless of the ... and give the client the final say. ... > When posting to comp.lang.cobol please include a rate, or range of rates, ...
    (comp.lang.cobol)
  • Re: OT: Newsreaders and Usenet/NNTP access
    ... The weirdness seem to appear regardless of client. ... So why don;t I see this on eveyones elses post if it's me. ...
    (rec.photo.digital)
  • Re: OT: Newsreaders and Usenet/NNTP access
    ... The weirdness seem to appear regardless of client. ... So why don;t I see this on eveyones elses post if it's me. ...
    (rec.photo.digital)
  • Re: OT: Newsreaders and Usenet/NNTP access
    ... The weirdness seem to appear regardless of client. ... with every other post here yours is the only one containing black diamonds with? ...
    (rec.photo.digital)
  • Re: Outsourcing update
    ... Said the client did not even read the reports but if ... > Regardless of reason, ... > kind of an agreement with a client. ... > any MTSO would have the forethought to get a signed agreement that "if we ...
    (sci.med.transcription)