Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: SQL Injection and XSS testing,

Re: SQL Injection and XSS testing,

From: Matteo Meucci <matteo.meucci_at_gmail.com>
Date: Sun, 25 Feb 2007 13:49:11 +0100

Hi John,
take a look at the OWASP Testing Guide.

In particular:
http://www.owasp.org/index.php/Testing_for_SQL_Injection
http://www.owasp.org/index.php/Testing_for_Cross_site_scripting

Here you can find the testing techniques and a set of open source
tools to use for this purpose.

For XSS and SQL Injection cheat sheet (by RSnake):
http://ha.ckers.org/xss.html
http://ha.ckers.org/sqlinjection/

Cheers,
Mat 

-- 
Matteo Meucci
OWASP-Italy Chair, CISSP, CISA
http://www.owasp.org/index.php/Italy
OWASP Testing Guide lead
http://www.owasp.org/index.php/Testing_Guide
On 2/24/07, IRM <irm_at_iinet.net.au> wrote:
> Dear all,
>
> Excuse me for this basic question. Just wondering in regards to the SQL
> injection, is it sufficient to insert the input with "1=1--" to test
> whether a site is vulnerable to the SQL injection? How much level of
> assurance can we get by testing the SQL injection limited to "1=1--"?
>
> If I am not wrong I guess most of the security aspects in Web
> application are mainly around input validation. So I was wondering is
> there any free open source software to automate all the input? Or maybe
> a list of stuff that usually need to test? Say SQL Injection or XSS? Is
> there a list of parameters kind of cheat sheet?
>
> John,
>
>
>
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Securing a web application goes far beyond testing the application using
> manual processes, or by using automated systems and tools. Watchfire's
> "Web Application Security: Automated Scanning or Manual Penetration
> Testing?" whitepaper examines a few vulnerability detection methods -
> specifically comparing and contrasting manual penetration testing with
> automated scanning tools. Download it today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
> --------------------------------------------------------------------------
>
>
-------------------------------------------------------------------------
Sponsored by: Watchfire
Securing a web application goes far beyond testing the application using 
manual processes, or by using automated systems and tools. Watchfire's 
"Web Application Security: Automated Scanning or Manual Penetration 
Testing?" whitepaper examines a few vulnerability detection methods - 
specifically comparing and contrasting manual penetration testing with 
automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------
Received on Feb 25 2007
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos