Security Basics mailing list archives

Re: Re: Basic security tests for web management application

From: jason.gerfen () gmail com
Date: 18 Apr 2008 13:03:52 -0000

Well you would probably want to validate any and all of the following outside input variables:

Anything dealing with the URI
Any forms dealing with POST/GET/REQUEST processing methods

Some simple manual tests can be done with the following examples:

Say you are wanting to check a URI for cross site scripting: http://www.example.com/?<script>alert('hi')</script> or 
http://www.example.com/?<script>document.write(document.cookie))</script>

Now say your application deals with authentication through a standard web form with an SQL database storing your user 
credentials:
1' UNION SELECT * FROM user; <-use that in a field 

I gave you two very simple examples which if coded correctly your application should reject. For more information 
regarding the following attack vectors do a google search for XSS/SQL Injection attacks.

HTH, Jas

Current thread:

Basic security tests for web management application Ishay (Apr 17)
- Re: Basic security tests for web management application Adam Pal (Apr 17)
- Re: Basic security tests for web management application Gleb Paharenko (Apr 18)
  - RE: Basic security tests for web management application Sergio Castro (Apr 18)
- <Possible follow-ups>
- Re: Re: Basic security tests for web management application jason . gerfen (Apr 18)