Home
Topics
Application and Platform Security
Application Attacks (Buffer Overflows, Cross-Site Scripting)
How to detect input validation errors and vulnerabilities

How to detect input validation errors and vulnerabilities

John Strand, featured expert

What is the best way to tell that a website suffers from either an input-validation loophole, or vulnerabilities related to SQL injection attacks or buffer overflows?

Requires Free Membership to View

Login

SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

Michael S. Mimoso, Editorial Director

By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at [email protected].

This question can have two different answers. If the site is one that you have no authority to test, I strongly recommend not testing it. Often times, however, simply trying to input data into a site can cause it to generate errors. If you get errors that appear to be from the database (i.e. ORA, ODBC), then there is a good chance the database is vulnerable to SQL injection, an exploit where malicious code is added to a Web form input box so important resources and data can be accessed and possibly tampered with.

If you are referring to a site that you own, I recommend checking out the Samurai Web Testing Framework. This is a live CD that has the absolute best open source Web-testing tools. It is free, and all of the tools are compiled and ready to go.

Once you get the environment up and running, I recommend looking at w3af, a Web application attack and audit framework, and the Burp suite of tools, an integrated platform for testing Web apps. These tools check your applications for vulnerabilities like cross-site scripting, SQL injection and command injection.

More News and Tutorials

Articles

Related glossary terms

Terms for Whatis.com - the technology online dictionary

This was first published in April 2009

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

Back to top

More from Related TechTarget Sites

Cloud Security
Security Channel
SMB Security
Financial Security
Security UK
Security AU
Security IN

Cloud Security
- Presentation: Evaluating Security as a Service providers
  
  Expert Joe Granneman on what to look for when evaluating Security as a Service providers, including separation of duties, and multi-tenancy security.
- Cloud security monitoring: Challenges and guidance
  
  Security monitoring in the cloud is complicated. In this tip, Ed Moyle explains issues to watch out for and provides guidance for cloud security monitoring.
- Can enterprises really count on cloud computing cost savings?
  
  Video: Enterprises counting on cloud computing cost savings may be in for an unpleasant surprise, plus learn about often-overlooked cloud risks.
Security Channel
- Biometric authentication methods: Comparing smartphone biometrics
  
  Biometric authentication helps ensure only authorized smartphone users can access a network. David Jacobs weighs the pros and cons of three methods.
- F5 Vault program embraces incentives for F5 firewall, security sales
  
  The Vault partner program uses incentives to increase visibility for F5 firewalls and its architecture bundle.
- Using DMARC to improve DKIM and SPF email antispam effectiveness
  
  DMARC aids the DKIM and SPF protocols that help keep spam out and let legitimate emails in. David Jacobs explains how.
searchMidmarketSecurity
- Windows Phone 7 security: Assessing WP7 security features
  
  Windows Phone 7 security features are proving to be a mixed bag. Sam Cattle assesses the enterprise security pros and cons of the latest Windows mobile platform.
- Choosing the best security certifications for your career
  
  Whether starting your career or planning your next step as an IT security professional, this tip will guide you toward the best certifications for your interests and experience.
- Midmarket security tutorials
  
  SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.
searchFinancialSecurity
- Improved Shylock Trojan targets banking users
  
  The latest variant of the banking Trojan is causing numerous problems, Symantec said.
- Tilon financial malware targets banks via MitB attack, Trusteer finds
  
  Tilon is related to the Silon malware detected in 2009. It uses a man-in-the-browser attack to capture form submissions and steal credentials.
- Citadel malware toolkit going underground, says RSA
  
  The Citadel crimeware, a toolkit giving cybercriminals sophisticated financial malware, is being taken off the market by its authors, according to experts monitoring its activity.
Security UK
- Royal Holloway 2012: A framework for preventing cross-site scripting
  
  Based on his Royal Holloway thesis, Joseph Bugeja proposes a new framework for preventing cross-site scripting attacks.
- Royal Holloway 2012: Designing a secure contactless payment system
  
  In his Royal Holloway thesis, Albert Attard proposes a contactless payment system to make card-not-present credit card transactions more secure.
- Royal Holloway 2012: An incident response process for armoured malware
  
  An incident response process may be futile when dealing with today’s armoured malware, as explained in this Royal Holloway article.
searchSecurityAU
- Intro: How big data benefits enterprise information security posture
  
  Andrew Hutchison explains how big data benefits enterprise information security posture by merging the security and operational data landscape.
- August 2012 Patch Tuesday fixes flaw being actively targeted by attackers
  
  A dangerous flaw in Windows Common Controls affects multiple systems and software, including Office, SQL Server and Visual Basic 6.0 Runtime.
- Software license management in the cloud: A complex process
  
  Managing software licenses in virtual environments is complicated. Find out strategies for tackling this challenge.
Information Security
- RSA key length change should be priority in September 2012 Patch Tuesday
  
  Two important bulletins were issued in Microsoft's September 2012 Patch Tuesday.
- HDFC Bank’s ISO 27004 compliant security metrics a boost toward GRC
  
  An ISO/IEC 27004 compliant metrics program is a rarity in the Indian infosec circuit. Indian BFSI major HDFC Bank’s ISMS has been there, done that.
- Aurora attackers target defense firms, use flurry of zero-days
  
  Cybercriminals tied to the 2009 Aurora attacks have used a flurry of zero-day exploits and a new "watering hole" attack technique in targeted campaigns.

All Rights Reserved,Copyright 2000 - 2012, TechTarget