needleinthehay.de

Web Security Checklist

General

Approach for testing

  1. Identify modifiable input which is processed by a XML, SQL, LDAP engine etc. This can be the case in form fields, cookies or HTTP payload as well as header information.
  2. Test sending critical characters to trigger error messages or other unintended behavior
  3. Try exploiting unintended behavior to inject own statements/commands

Mitigate risks

Specific injection attacks

SQL injection

Characteristics:

Mitigate:

XXE injection (XML External Entities)

Characteristics:

Mitigate:

LDAP injection (Lightweight Directory Access Protocol)

Characteristics:

XPath injection

Characteristics:

Mitigate:

OS command injection

Characteristics:

Mitigate: