SPONSORS:






User Tag List

Thanks Thanks:  0
Likes Likes:  0
Dislikes Dislikes:  0
Results 1 to 5 of 5
  1. #1
    Member
    Join Date
    May 2006
    Location
    Mumbai
    Posts
    63
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Total Downloaded
    0

    Web security testing

    I have been assigned with a project of testing web based application(login screen) having user name & password field.The page is .asp & using IIS server.

    I have to test it security whether it provides information which could be used to exploit its security.

    Whether the application login is SQL injection proof.

    Whether the application login is HTML injection proof.

    I have knowledge of sql & know injection funda but could not go through. So kindly let me know how to test this & what are different ways through which this can be tested with examples.

  2. #2
    Moderator JakeBrake's Avatar
    Join Date
    Dec 2000
    Location
    St. Louis - Year 2025
    Posts
    15,609
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Total Downloaded
    0

    Re: Web security testing

    Perhaps this will help:

    http://msdn2.microsoft.com/en-us/library/hbtw6093.aspx

    IMHO, the best way to avoid many security issues is to avoid IIS. [img]images/icons/wink.gif[/img]

  3. #3
    Member
    Join Date
    May 2006
    Location
    Mumbai
    Posts
    63
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Total Downloaded
    0

    Re: Web security testing

    Hello,
    Thanks for ur response but I am looking for some more info with some few good examples.

  4. #4
    Junior Member
    Join Date
    Jul 2006
    Location
    Munich
    Posts
    3
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Total Downloaded
    0

    Re: Web security testing

    hi,

    for sql injection you could try to use something like
    ' OR 1=1 --
    as either password and/or username.
    The correct behaviour should be that it shows an login incorrect page.
    If possible check the code behind.
    Are the values passed to a query directly? If so, it's very likely that it's vulnerable to some kind of sql injection.
    If its not possible to check the code try apostrophe in username or password, if this ends up in an internal server error, than something is certainly wrong.

    A good place to find more information:
    http://www.owasp.org/index.php/SQL_injection

    HTML injection.
    I'm not sure what is meant with HTML injection, if they mean cross site scripting than i dont know how a login page could be vulnerable to it.
    As i understand this kind of injection, it's used to inject HTML tags / javascript into form fields which are saved and in some way displayed later on. A very easy example is the username <b>itsme</b> which will than be displayed as bold text. While this wouldn't harm too much, a javascript could redirect to another page for example.

  5. #5
    Member
    Join Date
    Apr 2003
    Location
    Bonn,NRW, Germany
    Posts
    85
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Total Downloaded
    0

    Re: Web security testing

    try to manipulate the url. Have a look at the url when use the applictaion with an correct login and try then, after the log off, to manipulate the url in this kind you have seen it before. If there is no url shown, take a link in the application and look after the properties of the link (right mouseclick/properties). Often you can see the url of this link in this way.

    Michael Böll
    Germany

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Search Engine Optimisation provided by DragonByte SEO v2.0.36 (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
Resources saved on this page: MySQL 10.71%
vBulletin Optimisation provided by vB Optimise v2.6.4 (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.2.8 (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
vBNominate (Lite) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
Feedback Buttons provided by Advanced Post Thanks / Like (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
Username Changing provided by Username Change (Free) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
BetaSoft Inc.
Digital Point modules: Sphinx-based search
All times are GMT -8. The time now is 05:32 AM.

Copyright BetaSoft Inc.