StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
2351993
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2010-02-28T18:05:53.280
FavoriteCount
0
LastActivityDate
2015-06-06T17:42:33.443
LastEditDate
2015-06-06T17:42:33.443
LastEditorUserId
2632129
OwnerUserId
183528
ParentId
2351315
PostTypeId
2
Score
21
ViewCount
0
LastEditorDisplayName
text
Body
SQL Injection and XSS are the most common mistakes that programmers make. The good news is that they are easiest to automatically test for, as long as you have the right software. When I am on a pentest I use <a href="https://sitewat.ch/" rel="noreferrer">Sitewatch</a> or <a href="http://wapiti.sourceforge.net/" rel="noreferrer">Wapiti</a> for finding web application vulnerabilities. Acunetix is over priced. But, you can't just fire off some automated tool and expect everything to work. There are a number of precautions you must take with ANY vulnerability scanner you choose. 1) make sure display_errors=On in your php.ini Sql Injection tests rely on being able to see mysql error messages in the response pages! No error, no vulnerability detected! 2) Scan the authenticated areas of your application. Create a user account specifically for testing. Acuentix has an easy wizard where you can create a login sequence. If you are using wapiti you can give a cookie to wapiti or give wapiti a post request to fire off but this is kind of tricky. AFTER you have tested your application then test your server for misconfiguration. To test your server then you need to run <a href="http://www.openvas.org/" rel="noreferrer">OpenVAS</a> which is the new more free version of Nessus which is now a commercial product. Then you should follow this up with <a href="http://phpsec.org/projects/phpsecinfo/" rel="noreferrer">PhpSecInfo</a>. These tests will notify you of problems with your configuration or if you are running old vulnerable software. Nothing will ever be 100% secure, EVER. No matter what you do there are vulnerabilities that will slip though the cracks. There are vulnerabilities in all development platforms that lead a compromises that no tool can test for. There are also bugs in the testing tools you use. There are false posties and false negatives and some tests that just don't work, a good example i have never seen an automated CSRF tool that actually finds legit vulnerabilities. Acunetix's CSRF test is a complete waste of time. There is also the <a href="http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents" rel="noreferrer">OWASP testing guide</a> which goes into greater detail. This is not to be confused with the <a href="http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf" rel="noreferrer">OWASP Top 10</a> which is also an excellent resource. The <a href="http://phpsec.org/projects/guide/" rel="noreferrer">PHP Security Guide</a> is also a great resource for php programmers. 
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POTesting for security vulnerabilities in web applications: Best practices?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USJames
UserOwnerUserId
1. USrook
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POTesting for security vulnerabilities in web applications: Best practices?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.