WebApp Sec mailing list archives

Re: SQL Injection and XSS testing,

From: "Jason Ross" <algorythm () gmail com>
Date: Sat, 24 Feb 2007 22:09:53 -0500

On 2/23/07, IRM <irm () iinet net au> wrote:

Excuse me for this basic question. Just wondering in regards to the SQL
injection, is it sufficient to insert the input with "1=1--" to test
whether a site is vulnerable to the SQL injection?


absolutely not.
for one thing, there umpty-zillion different variations of "1=1--" ,
some of which may work where others do not, depending on:
  a) the backend dbms, and
  b) the code in the application and
  c) some third thing i'm sure i've forgotten to mention

apart from that however, there are a number of other ways to inject
sql into an application which may work where a simple 1=1 fails.

That said, performing 1=1 tests can be a fairly useful first pass, in
that you are likely to reveal some "low hanging fruit" so to speak;
but it should by no means be the only thing done before slapping a
"not injectable" on the app (of course, i'm not sure i'm comfortable
saying *any* app that talks to a dbms is "not injectable" ... perhaps
"not trivially injectable" ;-) )

If I am not wrong I guess most of the security aspects in Web
application are mainly around input validation.


I'd tend to agree with this statement, emphasizing that "most" implies
that input validation is by no means the only aspect to consider.

So I was wondering is there any free open source software to automate all the input?


I highly recommend checking out absinthe. I find it useful for a
number of things, one of them being providing management with a solid
idea of exactly how much data one can obtain via an application which
is vulnerable.

I've found it does very little to provide someone with a screenshot of
"1=1" with a sql error on the page (or even a successful login as the
first user in the database for that matter, sadly.) Providing them a
spreadsheet containing all (or a good portion) of the data in the
database, along with a documented schema, all gained from a single
vulnerable input field, that tends to have the desired effect of "um,
we should fix that" =)

Or maybe a list of stuff that usually need to test? Say SQL Injection or XSS?


I don't have a cheat sheet link, but wanted to note (the obvious
perhaps) that these are two very different things...

--
Jason Ross

-------------------------------------------------------------------------
Sponsored by: Watchfire

Securing a web application goes far beyond testing the application usingmanual processes, or by using automated systems and tools. Watchfire's"Web Application Security: Automated Scanning or Manual PenetrationTesting?" whitepaper examines a few vulnerability detection methods -specifically comparing and contrasting manual penetration testing withautomated scanning tools. Download it today!


https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6
--------------------------------------------------------------------------

Current thread:

SQL Injection and XSS testing, IRM (Feb 24)
- RE: SQL Injection and XSS testing, WebAppSec (Feb 25)
- Re: SQL Injection and XSS testing, Josh Zlatin-Amishav (Feb 25)
- Re: SQL Injection and XSS testing, Jason Ross (Feb 25)
- Re: SQL Injection and XSS testing, Matteo Meucci (Feb 25)
- Re: SQL Injection and XSS testing, crazy frog crazy frog (Feb 25)
- RE: SQL Injection and XSS testing, James Ash (Feb 25)
- <Possible follow-ups>
- Re: SQL Injection and XSS testing, eugk . 46247649 (Feb 25)
- Re: SQL Injection and XSS testing, Henry Troup (Feb 25)