Anyone know a list of security exploits we can use to test?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
affinity
Forum Newbie
Posts: 3
Joined: Fri Dec 05, 2008 3:21 am

Anyone know a list of security exploits we can use to test?

Post by affinity »

Does anyone know if somewhere online there is a list of common security exploits to try in our Forms so we can test our systems are protected against these? I have found various sites explaining about security and all that and followed their advice, but nothing that gives a set of "test scripts" that people can perfom on their site and forms to see if the security protects it from these. So I do not know if my site/forms would be fully protected without knowing the sort of malicious scripts people would use and try them out.

(On the other hand, I just realised if this does exist it may encourage more people to try them out on other peoples websites so maybe they shouldn't exist. So hmmm, a dilemma.)

Thanks
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: Anyone know a list of security exploits we can use to test?

Post by Hannes2k »

Hi,
an exploit is a realy individual thing. I mean it in that way: It is normaly written for a special vulnerability in a special software and for a special purpose.

So there isn't any (good) tool to test the own written software system for vulnerabilitys. Okay you can do some standard tests for checking if there is a SQL injection or XSS possible, but that's all.
So it is more efficient to know how to write secure programs/scripts, and to know which points are normaly guilty for vulnerabilities.
If you know this, then you can do a code audit very easily and make some standard tests (for SQL injection, Code injection, XSS etc.).

But it would never exists a tool for doing all this work.
Last edited by Hannes2k on Sun Dec 07, 2008 4:56 am, edited 1 time in total.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Anyone know a list of security exploits we can use to test?

Post by John Cartwright »

EDIT | Disclaimer: I pretty much repeated above post, :oops:

I think there is not a unified set of security instructions because security largely depends on the nature of the application. There are some technical exploits that can easily be prevented, i.e. Globals, SQL injection, XSS, although what also needs to be considered is the logic in your application (which usually greatly differs per project). I.e., does UsergroupB have write permission for Blog/create action?

If there was a set of scripts out there to try and exploit servers, I certainly wouldn't post it here anyways. Lamers and all.

Hope that helps.
eggnogg
Forum Newbie
Posts: 11
Joined: Wed Feb 15, 2006 7:31 pm

Re: Anyone know a list of security exploits we can use to test?

Post by eggnogg »

theres plenty of written tests to try, look in google
keywords: xss, injections, tests, lists, security, etc
play with the keywords, youll find a few copy paste strings to use
also, there's inject me,a FF plugin to test on your site and see if sql injection attacks go through or not
just look for them in google

but like it was said, there no list of all exploits as new "hack codes" are made up every month so, u might want to start and learn the bascis of programming to be %100 protected
affinity
Forum Newbie
Posts: 3
Joined: Fri Dec 05, 2008 3:21 am

Re: Anyone know a list of security exploits we can use to test?

Post by affinity »

sorry for late reply, didnt get a notification of posts.... anyways, thanks for your replies. yeah I suppose some will be personal, depending on code, but i was thinking there must be some standard ones people try to enter into forms, i.e. ending the php code with an apostrophe followed by some code to try to break in. I dont know. Anyway, I will keep looking. Although since posting this I am now using mvc frameworks to develop code, in which I expect security would be much higher than if I coded it from scratch myself.
thanks
Post Reply