Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/13/2007
02:22 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Quick Website Vulnerability Self-Test

Breach Security offers simple test you can do on your own to check for Website flaws

Worried your Website may harbor some serious vulnerabilities? Web application firewall maker Breach Security has come up with a quickie do-it-yourself test for Website owners that might help you spot the most common Website flaws -- SQL injection, cross-site scripting (XSS), and session hijacking.

SQL injection: To test for SQL injection bugs, peruse the application and find places where users can enter text, such as where the text is used to perform a lookup function, according to Breach. Then type a single quote character and some text: If the application shows an error message from your database, then you're likely housing an SQL injection bug.

Cross-site scripting (XSS): Find areas in your application that accept user input, such as a page where users can send in their feedback or reviews of a product, for example. Try submitting this text -- a less-than sign, the word "script," and then the greater-than sign (with no spaces in between): < script >

If that text displays where you reload the page, then your site has an XSS vulnerability, according to Breach.

Session hijacking: If your application has a session identifier number in the URL -- which Breach does not recommend -- decrease that number by one and reload the page. The app has a session hijacking vulnerability if the app then "sees" you as a different user. And if you don't have a session identifier in the URL, load a plug-in onto your browser that lets you view and modify cookies, according to Breach, which sells Web application firewalls. "Look in the cookie for session identifiers and perform the same test," according to Breach.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11856
PUBLISHED: 2020-09-22
Arbitrary code execution vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to execute arbitrary code on affected installations of OBR.
CVE-2020-16202
PUBLISHED: 2020-09-22
WebAccess Node (All versions prior to 9.0.1) has incorrect permissions set for resources used by specific services, which may allow code execution with system privileges.
CVE-2020-24333
PUBLISHED: 2020-09-22
A vulnerability in Arista&acirc;&euro;&trade;s CloudVision Portal (CVP) prior to 2020.2 allows users with &acirc;&euro;&oelig;read-only&acirc;&euro;&#65533; or greater access rights to the Configlet Management module to download files not intended for access, located on the CVP server, by accessing ...
CVE-2020-4619
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 stores user credentials in plain in clear text which can be read by an authenticated user. IBM X-Force ID: 184976.
CVE-2020-4620
PUBLISHED: 2020-09-22
IBM Data Risk Manager (iDNA) 2.0.6 could allow a remote authenticated attacker to upload arbitrary files, caused by the improper validation of file extensions. By sending a specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious file, which could allo...