WebApp Sec mailing list archives
Re: SQL Injection and XSS testing,
From: Henry Troup <htroup () acm org>
Date: Sat, 24 Feb 2007 21:50:26 -0500
The regretable thing about security tests is that one failed test (successful injection) tells you a lot. But any number of successful tests (failed injections) tell you relatively little. However, your example is missing the single quote usually needed to inject SQL. You want ' or 1 = 1 -- for the classic example. See (and try) demo.testfire.net - username is jsmith, and the demo bank is open to that string. But encoding based attacks can appear not to have the single quote. A simple input of ' or -- reveals an SQL error message; that is a good clue to an inadequate input filtering strategy. A quick google for 'SQL Injection checklist' yielded a collection on cgisecurity, including http://www.cgisecurity.com/lib/sql-insertion.txt which is a good illustration of what can be done with patience. Even creating a new user and getting the database to reveal passwords. You could block many of those techniques and leave just one vulnerable. You'd still be vulnerable. So you need more than one test case. Your one test (corrected) is necessary, but not sufficient. A check at freshmeat.net found four open source SQL injection testers. I don't know any of them well enough to have an opinion. -- Henry Troup htroup () acm org On Fri Feb 23 18:12 , "IRM" sent: Dear all, Excuse me for this basic question. Just wondering in regards to the SQL injection, is it sufficient to insert the input with "1=1--" to test whether a site is vulnerable to the SQL injection? How much level of assurance can we get by testing the SQL injection limited to "1=1--"? If I am not wrong I guess most of the security aspects in Web application are mainly around input validation. So I was wondering is there any free open source software to automate all the input? Or maybe a list of stuff that usually need to test? Say SQL Injection or XSS? Is there a list of parameters kind of cheat sheet? John, ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx\?id=701500000008fH6 -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6 --------------------------------------------------------------------------
Current thread:
- SQL Injection and XSS testing, IRM (Feb 24)
- RE: SQL Injection and XSS testing, WebAppSec (Feb 25)
- Re: SQL Injection and XSS testing, Josh Zlatin-Amishav (Feb 25)
- Re: SQL Injection and XSS testing, Jason Ross (Feb 25)
- Re: SQL Injection and XSS testing, Matteo Meucci (Feb 25)
- Re: SQL Injection and XSS testing, crazy frog crazy frog (Feb 25)
- RE: SQL Injection and XSS testing, James Ash (Feb 25)
- <Possible follow-ups>
- Re: SQL Injection and XSS testing, eugk . 46247649 (Feb 25)
- Re: SQL Injection and XSS testing, Henry Troup (Feb 25)