[Owasp-webscarab] Need help for SQL Injection
Rogan Dawes
rogan at dawes.za.net
Wed Jul 11 03:57:37 EDT 2007
Naveen Sharma wrote:
>
> Hi all;
>
> I am having one blocking issue please provide help for same issue is below.
>
> I used fuzzer. I got one request with response code 200 for SQL
> injection on login page for user name. Can you please tell me how should
> I verify and confirm that’s the valid proof bug?
>
> Actually I want further investigation steps after getting response code
> as 200.
>
> Thanks in advance
>
> Naveen
Hi Naveen,
A 200 response doesn't mean that there is an actual SQL injection. All
it means is that the server successfully handled your request. You need
to look at the content of the response to determine if there really was
an injection occurring.
Typically, you'd be looking for an SQL error message, or a broken page
(500 error message) indicating an unhandled exception.
Take a look at http://www.owasp.org/index.php/SQL_injection for more
information.
Rogan
More information about the Owasp-webscarab
mailing list