I was asked to look at a site to see if there was any malicious content on the site but found none. However, it was vulnerable to XSS but I was looking for something additional. I decided to input data into the form field a little at a time and finally was able to get the site to "break." By inserting thousands of characters into the form field the application returned "A Database Error Occurred." Contained in the error message was the select statement:
"INSERT INTO `table`(`first_name`, `gender`, `id`, `content`) VALUES('0123456789............X100????', '......', '.....', '.....')
Just goes to show that trying to send a large amount of chars through a form field is a great way to see how things are handled by the application.
No comments:
Post a Comment