SQLninja denial

Joerg Simon jsimon at fedoraproject.org
Mon Nov 15 23:01:57 UTC 2010


as i am work and teach nearly everday with a lot of security testing
tools to prevent crime and as the maintainer of the Fedora Security Lab

and also being a part of the ISECOM Team who develops the OSSTMM (Open
Source Security Testing Methodology Manual) and therefore involved in
Security Research and Methodology Development around these topic:

i hope that i am allowed to say/add something:

Am 15.11.2010 15:15, schrieb Máirín Duffy:
> Do you use SQLninja for penetration testing? Had you heard of it before?

Yes - and we have this tool in the FSL wishlist since 8 month´s

And just to clarify the FSL is not a Secure Lab (it is of course secure)
- it is Security Lab and lwn wrote a much better summary about it than i
"Having a larger parent organization like Fedora—and to some extent Red
Hat—may help FSL achieve a higher-profile than BackTrack or other
security distributions have in the past."

the SQLninja is also listed as the Number 1 Test Tool for SQL Injections
on the OWASP (Open Web Application Security Project)


Maybe it is interesting for you, that just doing a penetration test is
missleading, because this is just about - Can i break into something or
not? - This does not qualify to say, how secure or unsecure something is.

Therefore organization exist to develop methodolgies and rules to find
out how to do this right, like OWASP, even the German Goverment, or of
course the ISECOM.
And to do a test right all have a almost same approach
either the
Information Gathering -> SecurityScan -> Verification
or the OSSTMM 4point
Induction -> Inquest -> Interaction -> Intervention

we need tools to do the Verification bzw. Intervention.

> What penetration testing tools do you use? 

Almost all from

Especially in the Verification/Intervention Phase i use/need tools to
crack/spoof/exploit things. If you look at dsniff, ettercap or yersinia
this are tools to spoof/mitm and do Layer2 Attacks which i use almost
daily in my work.

> Is the language they use to
> explain & advertise their tools similar to that used for SQLninja?

The tool is hosted on sourceforge and it is well documented that it has
several test phases
# 2.1 test
# 2.2 fingerprint
# 2.3 bruteforce
# 2.4 escalation

it has a clear statement on the main page that:
"It should be used by penetration testers to help and automate the
process of taking over a DB Server when a SQL Injection vulnerability
has been discovered." <- this would be the verification phase i see as a
imperative step for a proper security test - to prevent crime of course
based on a written contract and testplan.

i do not see much differences to some examples we have in Fedora and
that we should have in Fedora:

> How
> do you find out about penetration testing tools? How many of the ones
> you use are GPL? 


if we really fight for freedom, please reconsider the policy and the
decission - i ask myself why is sourceforge able to take this risk
easily or the owasp project or the German Federal Office for Information
Security? I understand that RedHat is bound to all this indemnification
hickhack - and of course you can send me away and tell me to do my stuff
outside from Fedora, but i would love to do it as a Fedora Contributor
and provide this high quality Security Test Tools even if they use some
childish wording sometimes to advertise it.

I really look forward to my talk on FUDCon Tempe about my plans for the
FSL and the OSSTMM and that we have a future in Fedora for it.

cu Joerg

Joerg (kital) Simon
jsimon at fedoraproject.org
Key Fingerprint:
3691 0989 2DCA 58A2 8D1F 2CAC C823 558E 5B5B 5688

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/advisory-board/attachments/20101116/bf4b974f/attachment-0001.bin 

More information about the advisory-board mailing list