Home page logo
/

basics logo Security Basics mailing list archives

Re: Re: Basic security tests for web management application
From: jason.gerfen () gmail com
Date: 18 Apr 2008 13:03:52 -0000

Well you would probably want to validate any and all of the following outside input variables:

Anything dealing with the URI
Any forms dealing with POST/GET/REQUEST processing methods

Some simple manual tests can be done with the following examples:

Say you are wanting to check a URI for cross site scripting: http://www.example.com/?<script>alert('hi')</script> or 
http://www.example.com/?<script>document.write(document.cookie))</script>

Now say your application deals with authentication through a standard web form with an SQL database storing your user 
credentials:
1' UNION SELECT * FROM user; <-use that in a field 

I gave you two very simple examples which if coded correctly your application should reject. For more information 
regarding the following attack vectors do a google search for XSS/SQL Injection attacks.

HTH, Jas


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]