Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Web Security Tools?

by tomhukins (Curate)
on Jun 04, 2004 at 08:31 UTC ( #360765=note: print w/replies, xml ) Need Help??

in reply to Web Security Tools?

Although its not an automated tool itself, WWW::Mechanize allows you to develop site testing tools quickly. HTTP::Recorder helps you generate mech scripts which you can modify to repeat queries with different parameters.

You might modify the parameters sent to be empty, include non-ASCII characters, or use the quote (') and backtick (`) characters to check for SQL and shell escaping, respectively.

If you have access to the source itself, note the errors thrown by enabling taint checking and consider how you might exploit them. Automated tools generally work against a server, but you can look through the source itself - usually a richer source of ideas.

Replies are listed 'Best First'.
Re^2: Web Security Tools?
by davis (Vicar) on Jun 04, 2004 at 09:17 UTC
    You might modify the parameters sent to be empty, include non-ASCII characters,
    Add the NULL "\0" value to that list. It might upset some programs that do string handling in C. But then, if the OP had Taint checking on (and used it sensibly), it'd be extremely unlikely that anything like that got through.

    It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://360765]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (2)
As of 2021-01-22 04:08 GMT
Find Nodes?
    Voting Booth?