Testing for Web Site Vulnerabilities

By Regina Kwon  |  Posted 2002-11-01 Email Print this article Print
 
 
 
 
 
 
 

Will your Web site pass our security tests?

Most organizations only react to security threats, and too often, only after damage has been done. But patching a system won't recover stolen data, recoup competitive advantage or revive consumer confidence. The following links take you to simple tests (provided by security vendor SPI Dynamics) that you can take to ensure your site has its guard up. Each test includes an explanation of the vulnerability, the test and, if necessary, a link to a white paper that explains what to do if your site fails.

  1. SQL injection vulnerability could lead to a site's entire back-end database being downloaded by a hacker.
  2. Cross-site scripting occurs when hackers embed malicious JavaScript code into a site's dynamically generated pages, affecting the machine of any user that views that site.
  3. Unrestricted directory listings can be exploited by attackers to gain access to data that was not intended to be viewable to unauthenticated users.
Before You Start: Dynamic URL Basics

A dynamic Web address shows the Web server, the script's name, the parameter and the value that was sent to the script. SQL Injection and other attacks capitalize on flaws in the way values are handled. For instance, a script may use only numeric values. If a letter is sent instead, the script should reject the request. Not doing so means malicious commands can make it to the database. Below is an example of a typical dynamic address.

http://www.anysite.com/article.asp?id=1

Sometimes you'll see multiple parameters, usually separated by ampersands:

../article.asp?id=1&pageid=34



1234>
 
 
 
 
As Statistics Editor of Baseline magazine, Regina creates interactive tools, worksheets and project guides for technology managers. Before joining Ziff Davis, she worked as a technical program manager for a database company, where her projects included data management applications in XML, Java, Visual Basic and ASP. Her other experience includes running the new media department at Christie's Inc. and writing and editing for Internet World and PC Magazine. Regina received a B.A. from Yale.
 
 
 
 
 
 

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters