Testing for Web Site Vulnerabilities

Most organizations only react to security threats, and too often, only after damage has been done. But patching a system won’t recover stolen data, recoup competitive advantage or revive consumer confidence. The following links take you to simple tests (provided by security vendor SPI Dynamics) that you can take to ensure your site has its guard up. Each test includes an explanation of the vulnerability, the test and, if necessary, a link to a white paper that explains what to do if your site fails.

  1. SQL injection vulnerability could lead to a site’s entire back-end database being downloaded by a hacker.
  2. Cross-site scripting occurs when hackers embed malicious JavaScript code into a site’s dynamically generated pages, affecting the machine of any user that views that site.
  3. Unrestricted directory listings can be exploited by attackers to gain access to data that was not intended to be viewable to unauthenticated users.
Before You Start: Dynamic URL Basics

A dynamic Web address shows the Web server, the script’s name, the parameter and the value that was sent to the script. SQL Injection and other attacks capitalize on flaws in the way values are handled. For instance, a script may use only numeric values. If a letter is sent instead, the script should reject the request. Not doing so means malicious commands can make it to the database. Below is an example of a typical dynamic address.

http://www.anysite.com/article.asp?id=1

Sometimes you’ll see multiple parameters, usually separated by ampersands:

../article.asp?id=1&pageid=34