Re: xml over https

From: Barnett E. Kurtz (
Date: 02/05/05

  • Next message: Burke, Charles: "RE: xml over https"
    Date: Sat, 5 Feb 2005 07:57:11 -0500
    To: Mads Rasmussen <>

    Here are some references from MS to get you started:

    "Stop SQL Injection Attacks Before They Stop You"

    "Validating User Input"

    "Cross-Site Scripting and SQL Code Injection"

    "MS03-016: HTTP Receiver Buffer Overflow and DTA SQL Injection
    Vulnerabilities in Microsoft BizTalk Server 2002";en-us;815208

    "Patterns and Practices - Chapter 2 – Threats and Countermeasures"



    ---- Original message ----
    >Date: Fri, 04 Feb 2005 09:33:29 -0300
    >From: Mads Rasmussen <>
    >Subject: Re: xml over https
    >Actually it turned out to be way much simpler than I thought,
    >application sends text files between server and client,
    formatted in XML.
    >Some of the fields are encrypted with 3des but the key was
    hardcoded and
    >I managed to write a tiny program to decrypt the xml fields
    using their
    >own dll without specifying the key ;-)
    >The application communicates through https with a portal
    vulnerable to
    >sql injection. I haven't been able to find a login that suits
    but I have
    >mapped almost the whole DB using different queries.
    >If anyone know a nice guide to sql injection for SQL server
    (MS) I would
    >appreciate it

  • Next message: Burke, Charles: "RE: xml over https"