SQL Injection

Mak Hattalli asked on February 25, 2015 12:28

Hi All,

I gone through this link "http://www.kentico.com/downloads/Kentico-CMS_Security-White-Paper.pdf", please let me know How can i find in which form its reflicating.
How to find out SQL Injection in kentico cms 6.0 website, in web sacn report i am getting lot of SQL Injection.

Thanks,

Recent Answers


Juraj Komlosi answered on February 25, 2015 14:57

Hi Mak,

If you have security report containing the SQL injection vulnerabilities, you can send it to our support and we will have a look at that. But before you run the security scan I would recommend you to follow these checklists:

If you do that, you can eliminate many false positives and get only the relevant results. Anyway, the best practice how to avoid any security vulnerability (not only SQL injection) is to validate all user input. I wrote articles describing SQL injection and Cross-site scripting vulnerabilities. Both articles are related to the latest release version. Hope it will help you.

2 votesVote for this answer Mark as a Correct answer

Olivier Cozette answered on February 25, 2015 21:35

Juraj is right, validating user input is a must !

I was getting false positives from different test sites, and after sanitizing user input, false positives dissapeared.

If you expect an integer, ask only for an integer, if you expect a GUID, ask for a GUID... and so on.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.