WebApp Sec mailing list archives

RE: SQL Injection and XSS testing,

From: "James Ash" <jash () spidynamics com>
Date: Sun, 25 Feb 2007 14:37:57 -0500

Hi John,

You also might want to check out this recent Blog entry by Michael
Sutton called - How Prevalent Are SQL Injection Vulnerabilities?

http://portal.spidynamics.com/blogs/msutton/archive/2006/09/26/How-Preva
lent-Are-SQL-Injection-Vulnerabilities_3F00_.aspx


Jash



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of IRM
Sent: Friday, February 23, 2007 3:13 PM
To: webappsec () securityfocus com
Subject: SQL Injection and XSS testing,

Dear all,

Excuse me for this basic question. Just wondering in regards to the SQL
injection, is it sufficient to insert the input with "1=1--" to test
whether a site is vulnerable to the SQL injection? How much level of
assurance can we get by testing the SQL injection limited to "1=1--"?

If I am not wrong I guess most of the security aspects in Web
application are mainly around input validation. So I was wondering is
there any free open source software to automate all the input? Or maybe
a list of stuff that usually need to test? Say SQL Injection or XSS? Is
there a list of parameters kind of cheat sheet? 

John,





------------------------------------------------------------------------
-
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application using
manual processes, or by using automated systems and tools. Watchfire's
"Web Application Security: Automated Scanning or Manual Penetration
Testing?" whitepaper examines a few vulnerability detection methods -
specifically comparing and contrasting manual penetration testing with
automated scanning tools. Download it today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------

Current thread:

SQL Injection and XSS testing, IRM (Feb 24)
- RE: SQL Injection and XSS testing, WebAppSec (Feb 25)
- Re: SQL Injection and XSS testing, Josh Zlatin-Amishav (Feb 25)
- Re: SQL Injection and XSS testing, Jason Ross (Feb 25)
- Re: SQL Injection and XSS testing, Matteo Meucci (Feb 25)
- Re: SQL Injection and XSS testing, crazy frog crazy frog (Feb 25)
- RE: SQL Injection and XSS testing, James Ash (Feb 25)
- <Possible follow-ups>
- Re: SQL Injection and XSS testing, eugk . 46247649 (Feb 25)
- Re: SQL Injection and XSS testing, Henry Troup (Feb 25)