How to detect input validation errors and vulnerabilities
What is the best way to tell that a website suffers from either an
input-validation loophole, or vulnerabilities related to SQL injection attacks or buffer
This question can have two different answers. If the site is one that you have no authority to
test, I strongly recommend not testing it. Often times, however, simply trying to input data into a
site can cause it to generate errors. If you get errors that appear to be from the database (i.e.
ORA, ODBC), then there is a good chance the database is vulnerable to SQL
, an exploit where malicious code is added to a Web form input box so important
resources and data can be accessed and possibly tampered with.
If you are referring to a site that you own, I recommend checking out the Samurai Web Testing Framework. This is a
live CD that has the absolute best open source Web-testing tools. It is free, and all of the tools
are compiled and ready to go.
Once you get the environment up and running, I recommend looking at w3af, a Web application attack and audit
framework, and the Burp
suite of tools, an integrated platform for testing Web apps. These tools check your
applications for vulnerabilities like cross-site scripting, SQL injection and command
This was first published in April 2009