
	Home > Ask the Security Experts > Information Security Threats Questions & Answers > How to detect input validation errors and vulnerabilities

Ask The Security Expert: Questions & Answers

EMAIL THIS

How to detect input validation errors and vulnerabilities

EXPERT RESPONSE FROM: John Strand, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 27 December 2008
What is the best way to tell that a website suffers from either an input-validation loophole, or vulnerabilities related to SQL injection attacks or buffer overflows?

This question can have two different answers. If the site is one that you have no authority to test, I strongly recommend not testing it. Often times, however, simply trying to input data into a site can cause it to generate errors. If you get errors that appear to be from the database (i.e. ORA, ODBC), then there is a good chance the database is vulnerable to SQL injection, an exploit where malicious code is added to a Web form input box so important resources and data can be accessed and possibly tampered with.

If you are referring to a site that you own, I recommend checking out the Samurai Web Testing Framework. This is a live CD that has the absolute best open source Web-testing tools. It is free, and all of the tools are compiled and ready to go.

Once you get the environment up and running, I recommend looking at w3af, a Web application attack and audit framework, and the Burp suite of tools, an integrated platform for testing Web apps. These tools check your applications for vulnerabilities like cross-site scripting, SQL injection and command injection.

BROWSE BY TAG

Information Security Threats, Application and Platform Security, Application Attacks (Buffer Overflows, Cross-Site Scripting), Enterprise Vulnerability Management, Vulnerability Risk Assessment, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Information Security Threats
	How to get rid of malware, botnets on a hospital IT network
	Should a national cybersecurity strategy include offensive botnets?
	How can search results lead to malware?
	How to prevent brute force webmail attacks
	How to prevent mobile phone spying
	What are today's antivirus software trends?
	How to prevent and build protection against online identity theft
	Can secure USB devices prevent man-in-the middle attacks
	Is there a spy on my mobile device?
	When should new browsers be adopted in an enterprise?

Application Attacks (Buffer Overflows, Cross-Site Scripting)

Adobe warns of critical update for Reader, Acrobat 9.1.3

9 Ways to Improve Application Security After an Incident

Developers Need Help with Security Errors

Buffer overflow tutorial: How to find vulnerabilities, prevent attacks

SQL injection protection: A guide on how to prevent and stop attacks

Experts rebuke programmers who use SQL injection as feature

SANS: Application threats, website flaws pose biggest security threats

Mozilla helps Adobe push out faster patches

SSH key compromise shuts down Apache website

IBM finds sharp spike in malicious content on trusted sites

Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

Vulnerability Risk Assessment

Screencast: How to launch an OpenVAS scan

Trusteer CEO criticizes Adobe, touts better patch deployments

Patch management study shows IT taking significant risks

Vulnerability mitigation study shows need for faster patching

Microsoft to issue security report card, new tool at Black Hat

Newest malware threats

Are Web application penetration tests still important?

PCI compliance requirement 6: Systems and applications

Cybercrime and threat management

McAfee to acquire Solidcore Systems for whitelisting

Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

buffer overflow (SearchSecurity.com)

cache poisoning (SearchSecurity.com)

cyberterrorism (SearchSecurity.com)

dictionary attack (SearchSecurity.com)

directory harvest attack (SearchSecurity.com)

distributed denial-of-service attack (SearchSecurity.com)

JavaScript hijacking (SearchSecurity.com)

ping of death (SearchSecurity.com)

stack smashing (SearchSecurity.com)

SYN flooding (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy