An SQL Injection attack breaks the following pattern: Input - Query SQL == SQL injection SQL Injection testing is further broken down by product or vendor: 18.104.22.168 Oracle Testing 22.214.171.124 My SQL Testing 126.96.36.199 SQL Server Testing 188.8.131.52 Testing Postgre SQL 184.108.40.206 MS Access Testing 220.127.116.11 Testing for No SQL injection 4.8.6 LDAP Injection (OTG-INPVAL-006) LDAP injection testing is similar to SQL Injection testing.The differences are that testers use the LDAP protocol instead of SQL and the target is an LDAP Server instead of a SQL Server.An LDAP Injection attack breaks the following pattern: Input - Query LDAP == LDAP injection 4.8.7 ORM Injection (OTG-INPVAL-007) ORM injection testing is similar to SQL Injection Testing.
From the tester's point of view, this attack is virtually identical to a SQL Injection attack.
However, the injection vulnerability exists in the code generated by an ORM tool.
4.8.10 XPath Injection (OTG-INPVAL-010) XPath is a language that has been designed and developed primarily to address parts of an XML document.
In XPath injection testing, testers check if it is possible to inject data into an application so that it executes user-controlled XPath queries.
An XSS attack breaks the following pattern: Input - Output == cross-site scripting.
In this guide, the following types of XSS testing are discussed in details: 4.8.1 Testing for Reflected Cross Site Scripting (OTG-INPVAL-001) 4.8.2 Testing for Stored Cross Site Scripting (OTG-INPVAL-002) Client side XSS testing, such as DOM XSS and Cross site Flashing is discussed in the Client Side testing section.
Here are the testing methods for the common types of buffer overflow vulnerabilities: 18.104.22.168 Heap overflow 22.214.171.124 Stack overflow 126.96.36.199 Format string In general Buffer overflow breaks the following pattern: Input - Fixed buffer or format string == overflow 4.8.15 Incubated vulnerability (OTG-INPVAL-015) Incubated testing is a complex testing that needs more than one data validation vulnerability to work.
4.8.16 Testing for HTTP Splitting/Smuggling (OTG-INPVAL-016) Describes how to test for an HTTP Exploit, as HTTP Verb, HTTP Splitting, HTTP Smuggling.
An XML Injection attack breaks the following pattern: Input - XML doc == XML injection 4.8.9 SSI Injection (OTG-INPVAL-009) Web servers usually give developers the ability to add small pieces of dynamic code inside static HTML pages, without having to deal with full-fledged server-side or client-side languages.