WebApp Sec mailing list archives
Re: SQL Injection and XSS testing,
From: "Matteo Meucci" <matteo.meucci () gmail com>
Date: Sun, 25 Feb 2007 13:49:11 +0100
Hi John, take a look at the OWASP Testing Guide. In particular: http://www.owasp.org/index.php/Testing_for_SQL_Injection http://www.owasp.org/index.php/Testing_for_Cross_site_scripting Here you can find the testing techniques and a set of open source tools to use for this purpose. For XSS and SQL Injection cheat sheet (by RSnake): http://ha.ckers.org/xss.html http://ha.ckers.org/sqlinjection/ Cheers, Mat -- Matteo Meucci OWASP-Italy Chair, CISSP, CISA http://www.owasp.org/index.php/Italy OWASP Testing Guide lead http://www.owasp.org/index.php/Testing_Guide On 2/24/07, IRM <irm () iinet net au> wrote:
Dear all, Excuse me for this basic question. Just wondering in regards to the SQL injection, is it sufficient to insert the input with "1=1--" to test whether a site is vulnerable to the SQL injection? How much level of assurance can we get by testing the SQL injection limited to "1=1--"? If I am not wrong I guess most of the security aspects in Web application are mainly around input validation. So I was wondering is there any free open source software to automate all the input? Or maybe a list of stuff that usually need to test? Say SQL Injection or XSS? Is there a list of parameters kind of cheat sheet? John, ------------------------------------------------------------------------- Sponsored by: Watchfire Securing a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today! https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6 --------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireSecuring a web application goes far beyond testing the application using manual processes, or by using automated systems and tools. Watchfire's "Web Application Security: Automated Scanning or Manual Penetration Testing?" whitepaper examines a few vulnerability detection methods - specifically comparing and contrasting manual penetration testing with automated scanning tools. Download it today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008fH6 --------------------------------------------------------------------------
Current thread:
- SQL Injection and XSS testing, IRM (Feb 24)
- RE: SQL Injection and XSS testing, WebAppSec (Feb 25)
- Re: SQL Injection and XSS testing, Josh Zlatin-Amishav (Feb 25)
- Re: SQL Injection and XSS testing, Jason Ross (Feb 25)
- Re: SQL Injection and XSS testing, Matteo Meucci (Feb 25)
- Re: SQL Injection and XSS testing, crazy frog crazy frog (Feb 25)
- RE: SQL Injection and XSS testing, James Ash (Feb 25)
- <Possible follow-ups>
- Re: SQL Injection and XSS testing, eugk . 46247649 (Feb 25)
- Re: SQL Injection and XSS testing, Henry Troup (Feb 25)