[ OWASP - Montreal ] Web Apps Injections - successful or not?
benoit.guerette at gmail.com
Thu Dec 4 13:42:42 EST 2008
If exceptions are correctly catched by an application, it will not
show any details about an error (OWASP A6 - Information Leakage and
Improper Error Handling).
Example: sql injection showing a java stack trace at the browser with
the database version and error number.
How can you, in a penetration test, know that the injection is
successful or not. A generic exception message or an HTTP 500 will not
confirm that. So it is a guess? Catching an HTTP 500 on 200 injections
is not a confirmation of a successful injection, but a probability.
So you put a low vuln in the report, stating that some injection
reacted differently than other, and client should check that?
More information about the Owasp-montreal