[Snort-sigs] Generic SQL injection false positives

Paul Schmehl pschmehl_lists at ...3425...
Mon Dec 28 18:53:10 EST 2009

--On December 28, 2009 4:28:18 PM -0600 Graham Bignell <bignell at ...2420...> 

> On Mon, Dec 28, 2009 at 5:15 PM, Guise McAllaster
> <guise.mcallaster at ...2420...> wrote:
>> > From what I've seen, some SQLi will work using "/**/" instead of
>> spaces.  Other bypasses are possible as well I thinks.  Others want to
>> contribute some useful bypasses to spaces?
> "+"

+update?  Or + update?

Or are you referring to %20+update+whatever?

If so, the + sign is removed during normalization.

> "%20"

This is a space, which will converted to a space by the normalization 

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying

More information about the Snort-sigs mailing list