Comments on: “All Injection Attack Vectors” http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/ Information Systems and Internet Security Sat, 26 Sep 2009 11:11:21 -0400 http://wordpress.org/?v=2.8.5 hourly 1 By: Dan Guido http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/comment-page-1/#comment-5 Dan Guido Thu, 08 Feb 2007 06:47:33 +0000 http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/#comment-5 Your link to elharo.com seems down at the moment, but at least for the XML injection... iSEC Partners have been doing quality XML injection work for the past few years with lots of it showing up at Blackhat and Defcon. Just check https://www.isecpartners.com/speaking.html for "Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0." Your link to elharo.com seems down at the moment, but at least for the XML injection… iSEC Partners have been doing quality XML injection work for the past few years with lots of it showing up at Blackhat and Defcon. Just check https://www.isecpartners.com/speaking.html for “Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0.”

]]> By: Yan Ivnitskiy http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/comment-page-1/#comment-4 Yan Ivnitskiy Thu, 08 Feb 2007 05:32:37 +0000 http://isisblogs.poly.edu/2007/02/08/all-injection-attack-vectors/#comment-4 When one talks about a SQL injection, the only thing that makes it an 'injection' is that it's in the SQL domain. When we inject code into some pre-rendered HTML it's a cross site scripting attack. When we overflow a buffer of machine code, we're overflowing the buffer. In reality, in all of these cases we are simply mixing the data with the control channel and assigning each variation a different name. You can argue that the majority of security issues deal with this unclear separation of data and control, we just end up giving it a new buzzword every time we reference it. After all, saying a "SQL overflow" is too ambiguous, or a "HTML injection" is at the danger of just sounding lame :P When one talks about a SQL injection, the only thing that makes it an ‘injection’ is that it’s in the SQL domain. When we inject code into some pre-rendered HTML it’s a cross site scripting attack. When we overflow a buffer of machine code, we’re overflowing the buffer. In reality, in all of these cases we are simply mixing the data with the control channel and assigning each variation a different name.

You can argue that the majority of security issues deal with this unclear separation of data and control, we just end up giving it a new buzzword every time we reference it. After all, saying a “SQL overflow” is too ambiguous, or a “HTML injection” is at the danger of just sounding lame :P

]]>