Andre's Blog

Perfection is when there is nothing left to take away

Random security Posted Wed Jul 16 07:39:32 EDT 2008 in Security by Andre Generating good random values is critical for security of applications using them. Unfortunately, far more critical than many developers realize, as was highlighted by the recent flurry of DNS servers reported vulnerable to various forms of attacks based of predictability of their transaction identifiers. [Read More] [Comments (0)] Massive SQL injection, anyone? Posted Tue Jun 17 07:42:07 EDT 2008 in Security by Andre Last weekend I found a number of entries in the HTTP server logs indicating SQL injection attempts. The SQL targeted MS SQL Server and used the `CAST` function to decode a long hexadecimal sequence used to bypass code quote-escaping code on the server side. DECLARE @S VARCHAR(4000); SET @S=CAST(0x4445434C4152452040542...736F7220 AS VARCHAR(4000)); EXEC(@S); [Read More] [Comments (0)]	Index Login All Computing Employment Gaming Photography Programming Security Stone Steps Webalizer 2010 August (2) 2010 April (1) 2010 January (1) 2009 December (1) 2009 October (3) 2009 August (1) 2009 July (2) 2009 June (1) 2009 May (2) 2009 April (1) 2009 January (2) 2008 December (3) 2008 November (3) 2008 October (3) 2008 August (2) 2008 July (4) 2008 June (5) 2008 May (4) 2008 April (8) 2008 March (3)

Random security

Posted Wed Jul 16 07:39:32 EDT 2008 in Security by Andre

Generating good random values is critical for security of applications using them. Unfortunately, far more critical than many developers realize, as was highlighted by the recent flurry of DNS servers reported vulnerable to various forms of attacks based of predictability of their transaction identifiers.

[Read More] [Comments (0)]

Massive SQL injection, anyone?

Posted Tue Jun 17 07:42:07 EDT 2008 in Security by Andre

Last weekend I found a number of entries in the HTTP server logs indicating SQL injection attempts. The SQL targeted MS SQL Server and used the CAST function to decode a long hexadecimal sequence used to bypass code quote-escaping code on the server side.

DECLARE @S VARCHAR(4000);
SET @S=CAST(0x4445434C4152452040542...736F7220 AS VARCHAR(4000));
EXEC(@S);

[Read More] [Comments (0)]