How to detect input validation errors and vulnerabilities

Ask the Expert

How to detect input validation errors and vulnerabilities

What is the best way to tell that a website suffers from either an input-validation loophole, or vulnerabilities related to SQL injection attacks or buffer overflows?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

This question can have two different answers. If the site is one that you have no authority to test, I strongly recommend not testing it. Often times, however, simply trying to input data into a site can cause it to generate errors. If you get errors that appear to be from the database (i.e. ORA, ODBC), then there is a good chance the database is vulnerable to SQL injection, an exploit where malicious code is added to a Web form input box so important resources and data can be accessed and possibly tampered with.

If you are referring to a site that you own, I recommend checking out the Samurai Web Testing Framework. This is a live CD that has the absolute best open source Web-testing tools. It is free, and all of the tools are compiled and ready to go.

Once you get the environment up and running, I recommend looking at w3af, a Web application attack and audit framework, and the Burp suite of tools, an integrated platform for testing Web apps. These tools check your applications for vulnerabilities like cross-site scripting, SQL injection and command injection.

This was first published in April 2009