Thanks for that info. I looked up v8 and see that you can apparently take the exam but there's no study material for it? I may grab that All-In-One guide, brush up, and take the exam, unless there's a big reason to wait for v8. I just want to brush up enough to know that I'll pass the exam again and can have it on my record, and then move in to a new/better cert.

So, I took a CEH training course a few years ago, took the exam (v5), passed the exam, and have since let it expire.
I am thinking about renewing it and was wondering if anyone has recommendations on a self study book, particularly one for someone who has passed the test in the past.

I know the price has gone up, which is bogus, and I really didn't think the course/exam was very in depth when I took it, but the certification still seems to have some clout in the community, so I figured it would be a good one to renew and I should be able to pass it fairly easily.

Let me know if you have any suggestions!

Well, they didn't know specific vulnerabilities or the extent to which they could be exploited until I took the liberty to show them, so now they are finally getting some attention!
Thanks again for the help you've given.

Well, after looking over what's being done for SQLi, I'm actually pleasantly surprised that it's more robust than I had anticipated. I'd go into more detail if I could, but I've already said too much. I don't want to get burned for posting company intel!

Luckily, I've been able to sit down with the lead developer and discuss the plan of action on certain items, and nail down the proper procedures. The developers are aware of the security holes, but until now have done nothing about them.
Hopefully that changes soon! At least now the ball is rolling and I expect all issues to be closed soon. Maybe then I can sleep at night without nightmares of bots on my web servers...

Well, I was asking that question thinking more of some things that are already in place, not necessarily where I want things to go. Just trying to gauge where we stand in terms of SQLi 

This thread has been very helpful and I'm looking forward to implementing some of these suggestions.

Definitely some more good information. I've also read some of shiflett's stuff before and it's really good. One thing he mentioned that I had been thinking about is filtering input and escaping/encoding output. That seems to be the most logical thing and goes along with what we've been talking about.

On a quick side note, is using PHP's quote_smart function sufficient for blocking SQLi? From what I can see, it uses magic_quotes, which means no. Is that right?

Anyway, thanks for all the help - you've gone above and beyond on this one!

Wow, that was a great and insightful post. Thanks for the info.

The only special character that this application should let through is an apostrophe for maybe a comment box or a last name. Other than that, it should only be alphanumeric characters.
I had been thinking of htmlentities or htmlspecialchars for XSS prevention, but a simple regex like you mentioned may work in most cases as well.  And we already have something in place for SQL injection, so we should be good there.
I had been looking at the OWASP stuff and see they have some PHP filters that may come in handy. I was interested in their ESAPI project, but it says the PHP version is not suitable for production.

Unfortunately there are a lot of places where code would need to be edited to include all of this and we're down to a few precious developers that are overloaded with work, so it's going to take time. In the meantime I was considering deploying a WAF like ModSecurity to help in at least reducing the risk. It's a temporary fix, but I'd like to have a WAF in place long term anyway and if it can help in this "limbo" phase, then I think it would be worth it. Any thoughts on that?

As far as other vulnerabilities, I'm pretty positive that I have discovered nearly all of them - mostly with just manual testing. There are some other issues, but I'm trying to work from high risk to low risk. There seem to be a few issues besides XSS that would be resolved by input validation/sanitation, so I can take them all out with one blow.

Oh, and my web application hackers handbook has been my trusty sidekick along the way 


Thanks again for the input - I was able to get a lot out of that.

That's a good idea. I hadn't thought of that. I just tried it out on a few bits of code and it seems to be decent. We do have the full product for one of our other environments, but I'm not sure we have the license for this project as well. I'll have to look into this.

Thanks for the input. I just wanted to check in case there was some good news for my developers, but I guess not! It always sucks to inherit someone else's insecure system...

Hey everyone,
Is there any way to implement input sanitation/validation/escaping/whatever in an existing PHP application without having to go through every point of input and include a filter function? I need to implement some sort of filtering, but it's going to be a nightmare to go through thousands of lines of code...

I'm a little late getting around to this but I'll throw in my thoughts as well.

Nessus is pretty good for vulnerability scanning, but has been a little lacking in the web application scanning from my point of view. It does find certain things, but it also misses a lot(depending on the application, of course). It also isn't as customizable as many other web scanners.

I evaluated a lot of different scanners recently, both open source and commercial, and most of them are pretty close in terms of the findings. In fact, open source tools that you can find in Backtrack found many of the same vulnerabilities that $30k commercial scanners found.
Even though the results are roughly the same, you still get a lot more from most commercial scanners in terms of usability, support, and reporting. It's up to you on whether or not that justifies the cost. Also, you can try to talk the price down with the vendor. I got a $36,000 quote down to $20,000. Still a ton of money, but if you can swing it...
Either way you'd have to do a good amount of manual testing to find all of the things that the scanner missed!

We got a commercial scanner because of the support and reporting. However, I still use that as a baseline and starting point for my manual tests, where I do most of my work.
Hope that helps.

It's not a trap! 

I'm definitely going to stick around here on EH and know most people(including myself) have jobs, I just like to have options to choose from when I have questions about stuff I can't figure out on my own.
Thanks for the suggestions and I'll be sure to give them a try if I can't find what I need here.

Hi, I was wondering if anyone knows of some other good security forums. I really like ethicalhacker.net but I'd also like to have other options and usually I don't get a lot of help here with technical questions - like if I'm trying to exploit something and get stuck. I've been to sla.ckers.org too but there seem to be a lot of kiddies on there.
Are there other good forums around?

Hmm, not much help around here this week, eh? I think I figured this one out and concluded that the second query is not vulnerable.

So, I know that stored procedures are still vulnerable to SQLi if the parameters are not handled properly, but I'm no SQL guru and need some help.

We all know that a query like this is still vulnerable:
SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''

What about queries like this:
SELECT id FROM products WHERE name LIKE '%' + @description + '%'

Is the description parameter still vulnerable because it is concatenated, or is it safe because it doesn't have the quotes around it?
Thanks for your help!