Pages

Friday, June 10, 2011

Data Validation Testing

TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP-DV-001)
Reflected Cross-site Scripting (XSS) is another name for non-persistent XSS, where the attack doesn't load with the vulnerable web application but is originated by the victim loading the offending URI. In this article we will see some ways to test a web application for this kind of vulnerability.
The following are the steps I have done :
1.      OWASP-DV-001
In this phase, I tried to write the following url :
http://akakom.ac.id/index.php?user=<script>alert(latihan)</script>, and here are the result :



above result means that the url you entered can not be accessed.


2.      OWASP-DV-002
In this phase I just wanna try to use Beef XSS, but I can't use this tools because I haven't know about this tools. I have read on Beef XSS shell, and I find a script like this :
<html>
<title>BeEF Example</title>
<body>BeEF<script src='http://127.0.0.1/beef/hook/beefmagic.js.php'></script>
</body>
</html>The above is an example script to use XSS Beef.

3.      OWASP-DV-003
I don't know about this phase because in this phase have many script and I don't know where the script must be used.

4.      OWASP-DV-004
In this stage the same as the previous stage, I don't know how I should use the script.

5.      OWASP-DV-005
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.


Standard SQL Injection Testing
Consider the following SQL query:
SELECT * FROM Users WHERE Username='$username' AND Password='$password'

5.1 Oracle Testing
Web based PL/SQL applications are enabled by the PL/SQL Gateway - it is the component that translates web requests into database queries. Oracle has developed a number of software implementations ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. All have their own quirks and issues, each of which will be thoroughly investigated in this paper. Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server.

No comments:

Post a Comment