This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Testing for Input Validation"
(→Data Validation Testing) |
(→Data Validation Testing) |
||
| Line 9: | Line 9: | ||
<br> | <br> | ||
In this chapter we describe how to test all the possible forms of input validation to understand if the application is strong enough against any type of data input.<br> | In this chapter we describe how to test all the possible forms of input validation to understand if the application is strong enough against any type of data input.<br> | ||
| − | We split Data Validation into this macro categories:<br> | + | We split Data Validation into this macro categories:<br><br> |
Input -> Output == cross-site scripting<br> | Input -> Output == cross-site scripting<br> | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
[[Cross site scripting AoC|4.6.1 Cross site scripting]]<br> | [[Cross site scripting AoC|4.6.1 Cross site scripting]]<br> | ||
| + | Input -> HTTP Methods == XST <br> | ||
[[HTTP Methods and XST AoC|4.6.1.1 HTTP Methods and XST ]]<br> | [[HTTP Methods and XST AoC|4.6.1.1 HTTP Methods and XST ]]<br> | ||
| + | Input -> Query SQL == SQL injection<br> | ||
[[SQL Injection AoC|4.6.2 SQL Injection ]]<br> | [[SQL Injection AoC|4.6.2 SQL Injection ]]<br> | ||
[[Stored Procedure Injection AoC|4.6.2.1 Stored procedure injection ]]<br> | [[Stored Procedure Injection AoC|4.6.2.1 Stored procedure injection ]]<br> | ||
[[Oracle Testing AoC|4.6.2.2 Oracle Testing ]]<br> | [[Oracle Testing AoC|4.6.2.2 Oracle Testing ]]<br> | ||
[[MySQL Testing AoC|4.6.2.3 MySQL Testing ]]<br> | [[MySQL Testing AoC|4.6.2.3 MySQL Testing ]]<br> | ||
| − | [[SQL Server Testing AoC|4.6.2.4 SQL Server Testing ]]<br> | + | [[SQL Server Testing AoC|4.6.2.4 SQL Server Testing ]]<br><br> |
| − | + | Input -> Query LDAP == LDAP injection<br> | |
| + | [[LDAP Injection Testing AoC|4.6.4 LDAP Injection]]<br><br> | ||
| + | Input -> System == command injection<br> | ||
[[ORM Injection Testing AoC|4.6.3 ORM Injection]]<br> | [[ORM Injection Testing AoC|4.6.3 ORM Injection]]<br> | ||
| − | |||
[[XML Injection Testing AoC|4.6.5 XML Injection]]<br> | [[XML Injection Testing AoC|4.6.5 XML Injection]]<br> | ||
[[SSI Injection Testing AoC|4.6.6 SSI Injection]]<br> | [[SSI Injection Testing AoC|4.6.6 SSI Injection]]<br> | ||
| Line 38: | Line 29: | ||
[[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]]<br> | [[IMAP/SMTP Injection Testing AoC|4.6.8 IMAP/SMTP Injection]]<br> | ||
[[Code Injection Testing AoC|4.6.9 Code Injection]]<br> | [[Code Injection Testing AoC|4.6.9 Code Injection]]<br> | ||
| − | [[OS Commanding Testing AoC|4.6.10 OS Commanding]]<br> | + | [[OS Commanding Testing AoC|4.6.10 OS Commanding]]<br><br> |
| − | + | Input -> Fixed buffer or format string == overflow<br> | |
[[Buffer Overflow Testing AoC|4.6.11 Buffer overflow Testing ]]<br> | [[Buffer Overflow Testing AoC|4.6.11 Buffer overflow Testing ]]<br> | ||
[[Heap Overflow Testing AoC|4.6.11.1 Heap overflow ]]<br> | [[Heap Overflow Testing AoC|4.6.11.1 Heap overflow ]]<br> | ||
[[Stack Overflow Testing AoC|4.6.11.2 Stack overflow ]]<br> | [[Stack Overflow Testing AoC|4.6.11.2 Stack overflow ]]<br> | ||
[[Format String Testing AoC|4.6.11.3 Format string ]]<br> | [[Format String Testing AoC|4.6.11.3 Format string ]]<br> | ||
| + | |||
[[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] <br> | [[Incubated Vulnerability Testing AoC|4.6.12 Incubated vulnerability testing]] <br> | ||
| + | Incubated testing is a complex testing that need more that one data valition vulnerability to work. | ||
| + | <br> | ||
| + | In every pattern showed the data must be validated from the application before trust it and execute it. Our goal is to test if the application really do that. | ||
| + | |||
| + | |||
| + | |||
| + | |||
[[OWASP Testing Guide v2 Table of Contents]] | [[OWASP Testing Guide v2 Table of Contents]] | ||
Revision as of 15:27, 7 November 2006
[Up]
OWASP Testing Guide v2 Table of Contents
Data Validation Testing
The most common web application security weakness is the failure to properly validate input from the client or environment. This weakness leads to almost all of the major vulnerabilities in applications, such as interpreter injection, locale/Unicode attacks, file system attacks and buffer overflows.
Data from the client should never be trusted for the client has every possibility to tamper with the data: "All Input is Evil" said Michael Howard in his famous book "Writing Secure Code". That's rule number one. The problem is that in a complex application the points of access for an attacker increase and it is easy that you forget to implement this rule.
In this chapter we describe how to test all the possible forms of input validation to understand if the application is strong enough against any type of data input.
We split Data Validation into this macro categories:
Input -> Output == cross-site scripting
4.6.1 Cross site scripting
Input -> HTTP Methods == XST
4.6.1.1 HTTP Methods and XST
Input -> Query SQL == SQL injection
4.6.2 SQL Injection
4.6.2.1 Stored procedure injection
4.6.2.2 Oracle Testing
4.6.2.3 MySQL Testing
4.6.2.4 SQL Server Testing
Input -> Query LDAP == LDAP injection
4.6.4 LDAP Injection
Input -> System == command injection
4.6.3 ORM Injection
4.6.5 XML Injection
4.6.6 SSI Injection
4.6.7 XPath Injection
4.6.8 IMAP/SMTP Injection
4.6.9 Code Injection
4.6.10 OS Commanding
Input -> Fixed buffer or format string == overflow
4.6.11 Buffer overflow Testing
4.6.11.1 Heap overflow
4.6.11.2 Stack overflow
4.6.11.3 Format string
4.6.12 Incubated vulnerability testing
Incubated testing is a complex testing that need more that one data valition vulnerability to work.
In every pattern showed the data must be validated from the application before trust it and execute it. Our goal is to test if the application really do that.
