[ OWASP - Montreal ] Web Apps Injections - successful or not?

Benoit Guerette benoit.guerette at gmail.com
Thu Dec 4 13:42:42 EST 2008

If exceptions are correctly catched by an application, it will not
show any details about an error (OWASP A6 - Information Leakage and
Improper Error Handling).

Example: sql injection showing a java stack trace at the browser with
the database version and error number.

How can you, in a penetration test, know that the injection is
successful or not. A generic exception message or an HTTP 500 will not
confirm that. So it is a guess? Catching an HTTP 500 on 200 injections
is not a confirmation of a successful injection, but a probability.

So you put a low vuln in the report, stating that some injection
reacted differently than other, and client should check that?



More information about the Owasp-montreal mailing list