Testing for Web Site VulnerabilitiesBy Regina Kwon | Posted 2002-11-01 Email Print
Will your Web site pass our security tests?
Most organizations only react to security threats, and too often, only after damage has been done. But patching a system won't recover stolen data, recoup competitive advantage or revive consumer confidence. The following links take you to simple tests (provided by security vendor SPI Dynamics) that you can take to ensure your site has its guard up. Each test includes an explanation of the vulnerability, the test and, if necessary, a link to a white paper that explains what to do if your site fails.
- SQL injection vulnerability could lead to a site's entire back-end database being downloaded by a hacker.
- Unrestricted directory listings can be exploited by attackers to gain access to data that was not intended to be viewable to unauthenticated users.
A dynamic Web address shows the Web server, the script's name, the parameter and the value that was sent to the script. SQL Injection and other attacks capitalize on flaws in the way values are handled. For instance, a script may use only numeric values. If a letter is sent instead, the script should reject the request. Not doing so means malicious commands can make it to the database. Below is an example of a typical dynamic address.
Sometimes you'll see multiple parameters, usually separated by ampersands: