Q

How to detect input validation errors and vulnerabilities

Expert John Strand reviews how to spot input validation flaws on your websites.

What is the best way to tell that a website suffers from either an input-validation loophole, or vulnerabilities related to SQL injection attacks or buffer overflows?
This question can have two different answers. If the site is one that you have no authority to test, I strongly recommend not testing it. Often times, however, simply trying to input data into a site can cause it to generate errors. If you get errors that appear to be from the database (i.e. ORA, ODBC), then there is a good chance the database is vulnerable to SQL injection, an exploit where malicious code is added to a Web form input box so important resources and data can be accessed and possibly tampered with.

If you are referring to a site that you own, I recommend checking out the Samurai Web Testing Framework. This is...

a live CD that has the absolute best open source Web-testing tools. It is free, and all of the tools are compiled and ready to go.

Once you get the environment up and running, I recommend looking at w3af, a Web application attack and audit framework, and the Burp suite of tools, an integrated platform for testing Web apps. These tools check your applications for vulnerabilities like cross-site scripting, SQL injection and command injection.

This was last published in April 2009

Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close