How to detect input validation errors and vulnerabilities
What is the best way to tell that a website suffers from either an input-validation loophole, or vulnerabilities related to SQL injection attacks or buffer overflows?
This question can have two different answers. If the site is one that you have no authority to test, I strongly recommend not testing it. Often times, however, simply trying to input data into a site can cause it to generate errors. If you get errors that appear to be from the database (i.e. ORA, ODBC), then there is a good chance the database is vulnerable to SQL injection
, an exploit where malicious code is added to a Web form input box so important resources and data can be accessed and possibly tampered with.
If you are referring to a site that you own, I recommend checking out the Samurai Web Testing Framework. This is a live CD that has the absolute best open source Web-testing tools. It is free, and all of the tools are compiled and ready to go.
Once you get the environment up and running, I recommend looking at w3af, a Web application attack and audit framework, and the Burp suite of tools, an integrated platform for testing Web apps. These tools check your applications for vulnerabilities like cross-site scripting, SQL injection and command injection.
This was first published in April 2009