1. I highly doubt that your application is vulnerable to a SQL injection attack. I have been told that a few times in the past only to find out that the test used was flawed. If you have a login screen to your application, it would be difficult for them to even perform the test. Because of IW structure many traditional tests cannot even be executed. There is no way for a testing to start a session on the server unless you have given them a way to do so.
A SQL injection means that an attacker can put raw SQL code into an edit a form, submit it, and then your application crashes to a SQL prompt, thereby allowing the attacker full access to the database. Another way this can be done is by passing parameters to your application.
If your application takes parameters like this:
http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike, it could be attacked like this: +
http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count(*)+from+fake)+%3e0+OR+'1'%3d'1+ . If your application responds with any results, or displays any database information, your are vulnerable.
Ask them to prove it! They should be able to show you data from any table in the database. They will not be able to show you any proof. I have pounded two of my servers with server testing tools that go through dozens of scenarios. The SQL injection attack fails with flying colors every time.
The only test that my IW applications have failed at any point are those using SSL vulnerabilities. Each time that has happened I download the latest OpenSSL libraries, recompile, and the threat is fixed.
2. If the IP is showing in the address bar, it probably means a domain has not been assigned to IP address. How are you accessing the application? If you are accessing it by IP address, that is what will display in the address bar. Use a domain to reach the application.
Connect with Us