When I have manipulated the URI of an application with some SQL or XSS payloads I am able to see a runtime error page. Can we come to a conclusion that the application is vulnerable to SQL Injection or XSS attacks.
Please Suggest
Asked
Active
Viewed 1,254 times
2
Sai Dutt Mekala
- 343
- 2
- 10
1 Answers
2
Can we come to a conclusion that the application is vulnerable to SQL Injection or XSS attacks.
Why would you think so?
If the injected XSS payload is not shown, there is no XSS vulnerability (at least not reflected; we cannot say anything about persistent).
We cannot say anything about SQL injection. There may or may not be one, the presence of an error message doesn't tell either way, you need to perform further tests (and enable error messages if you can).
The fact that you get a generic error message only tells you that your request was invalid, but not why. It could be that the application expected an integer but got a string, and thus shows an error (this is how it should be). It could also be that you injected into a query and broke it, and thus got an error message (this shouldn't happen), or it may be a number of different issues.
tim
- 29,018
- 7
- 95
- 119
-
I have sent the payload **' o//r 1/0 --** in place of query parameter which is generally an integer. I am testing this at API level using a tool for the REST URI.This is the URI that I am working on 'somesite.com/api/creditAccount/' o//r 1/0 --/details '. So can this be an issue, because it is observed only at API level but not at Web UI level. Why is that response at API level and Web UI level are both different? – Sai Dutt Mekala Mar 22 '17 at 14:20
-
Anyone with any idea on API security testing. – Sai Dutt Mekala Mar 23 '17 at 08:46