Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks: Difference between revisions
Programsam (talk | contribs) |
Programsam (talk | contribs) |
||
| Line 87: | Line 87: | ||
# http://eclipse.org/webtools/ | # http://eclipse.org/webtools/ | ||
# For larger applications, one could use a static analyzer to determine hotspots’ locations. | # For larger applications, one could use a static analyzer to determine hotspots’ locations. | ||
# HtmlUnit is a "GUI-Less browser for Java programs". It models HTML documents and provides an API that allows you to invoke pages, fill out forms, click links, etc, just like you do in your "normal" browser. http://htmlunit.sourceforge.net. | # HtmlUnit is a "GUI-Less browser for Java programs". It models HTML documents and provides an API that allows you to invoke pages, fill out forms, click links, etc, just like you do in your "normal" browser. http://htmlunit.sourceforge.net. | ||
# However, some hotspots were not used by the JSPs in the application, perhaps because these hotspots were used for database administration only, or the development team had not finished implementing the use case that required the query. If we could not reach the SQL statement through the web interface, we augmented the white box test plan to include a malicious test that directly calls the database class. | # However, some hotspots were not used by the JSPs in the application, perhaps because these hotspots were used for database administration only, or the development team had not finished implementing the use case that required the query. If we could not reach the SQL statement through the web interface, we augmented the white box test plan to include a malicious test that directly calls the database class. | ||
# http://www.neurofuzz.com/modules/wfdownloads/singlefile.php?cid=2&lid=9 | |||
[[Category:Conference Papers]] | [[Category:Conference Papers]] | ||