Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Shields, Larry (Larry.ShieldsFMR.COM)
Date: Tue Jan 29 2002 - 06:52:07 CST
It's a good point to make this clarification. However the question
was how do you know if the test was successful. It's always difficult to
know if there's going to be a problem somewhere down the line. You know
you're successful if you can make it work. You can never know for sure,
otherwise, unless you have full access to the code & architecture.
In this regard, it's similar to other application testing. If you
don't find a way to break the application, it doesn't mean there isn't a
vulnerability. Just that you didn't find anything. Something all of us
need to remember. =)
Internet Security Risk Assessment / Fidelity Investments
>| >How do you know if a test was successful?
>| If I am able to inject any of my own code that executes in the
>| script, it has worked. Obviously the easiest for simple testing
>| is to pop an "alert" window with a message in it.
>It should be noted that if you are _not_ able to insert code that
>executes, it does not necessarily mean that the site is not
>vulnerable. It just means that _you_ are not able to do it. Or maybe
>it means that they successfully prevent script in the page you test,
>but you can hardly know when your input will show up in another page,
>or in an HTML formatted mail generated by the site.
>You can prove that they are vulnerable to CSS, but you cannot prove
>that they are not. (I guess you knew that Larry, but I _know_ other
>people don't, so I wanted to mention it.)