Sverre,

        It's a good point to make this clarification. However the question
was how do you know if the test was successful. It's always difficult to
know if there's going to be a problem somewhere down the line. You know
you're successful if you can make it work. You can never know for sure,
otherwise, unless you have full access to the code & architecture.

        In this regard, it's similar to other application testing. If you
don't find a way to break the application, it doesn't mean there isn't a
vulnerability. Just that you didn't find anything. Something all of us
need to remember. =)

-Larry Shields
Internet Security Risk Assessment / Fidelity Investments

>| >How do you know if a test was successful?
>|
>| If I am able to inject any of my own code that executes in the
>| script, it has worked. Obviously the easiest for simple testing
>| is to pop an "alert" window with a message in it.
>
>It should be noted that if you are _not_ able to insert code that
>executes, it does not necessarily mean that the site is not
>vulnerable. It just means that _you_ are not able to do it. Or maybe
>it means that they successfully prevent script in the page you test,
>but you can hardly know when your input will show up in another page,
>or in an HTML formatted mail generated by the site.
>
>You can prove that they are vulnerable to CSS, but you cannot prove
>that they are not. (I guess you knew that Larry, but I _know_ other
>people don't, so I wanted to mention it.)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]