Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: SQL Injection and XSS testing,

Re: SQL Injection and XSS testing,

From: Jason Ross <algorythm_at_gmail.com>
Date: Sat, 24 Feb 2007 22:09:53 -0500

On 2/23/07, IRM <irm_at_iinet.net.au> wrote:
> Excuse me for this basic question. Just wondering in regards to the SQL
> injection, is it sufficient to insert the input with "1=1--" to test
> whether a site is vulnerable to the SQL injection?

absolutely not.
for one thing, there umpty-zillion different variations of "1=1--" ,
some of which may work where others do not, depending on:
   a) the backend dbms, and
   b) the code in the application and
   c) some third thing i'm sure i've forgotten to mention

apart from that however, there are a number of other ways to inject
sql into an application which may work where a simple 1=1 fails.

That said, performing 1=1 tests can be a fairly useful first pass, in
that you are likely to reveal some "low hanging fruit" so to speak;
but it should by no means be the only thing done before slapping a
"not injectable" on the app (of course, i'm not sure i'm comfortable
saying *any* app that talks to a dbms is "not injectable" ... perhaps
"not trivially injectable" ;-) )

> If I am not wrong I guess most of the security aspects in Web
> application are mainly around input validation.

I'd tend to agree with this statement, emphasizing that "most" implies
that input validation is by no means the only aspect to consider.

> So I was wondering is there any free open source software to automate all the input?

I highly recommend checking out absinthe. I find it useful for a
number of things, one of them being providing management with a solid
idea of exactly how much data one can obtain via an application which
is vulnerable.

I've found it does very little to provide someone with a screenshot of
"1=1" with a sql error on the page (or even a successful login as the
first user in the database for that matter, sadly.) Providing them a
spreadsheet containing all (or a good portion) of the data in the
database, along with a documented schema, all gained from a single
vulnerable input field, that tends to have the desired effect of "um,
we should fix that" =)

> Or maybe a list of stuff that usually need to test? Say SQL Injection or XSS?

I don't have a cheat sheet link, but wanted to note (the obvious
perhaps) that these are two very different things... 

--
Jason Ross
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing the application using 
manual processes, or by using automated systems and tools. Watchfire's 
"Web Application Security: Automated Scanning or Manual Penetration 
Testing?" whitepaper examines a few vulnerability detection methods - 
specifically comparing and contrasting manual penetration testing with 
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------
Received on Feb 25 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos