Input Validation Cheat Sheet
Related articles: SQL Injection Cheat Sheet
We sometimes carelessly throw characters up and about in an attempt to find a gem. This paper covers miscellaneous injection characters and their meanings when applied to web application testing.
| Character(s) | Details |
| NULL or null | Often produces interesting error messages as the web application is expecting a value. It can also help us determine if the backend is a PL/SQL gateway. |
| {' , " , ; , <!} | Breaks an SQL string or query; used for SQL, XPath and XML Injection tests. |
| {– , = , + , "} | These characters are used to craft SQL Injection queries. |
| {‘ , &, ! , ¦ , < , >} | Used to find command execution vulnerabilities. |
| "><script>alert(1)</script> | Used for basic Cross-Site Scripting Checks. |
| {%0d , %0a} | Carriage Return Line Feed (new line); all round bad. |
| {%7f , %ff} | byte-length overflows; maximum 7- and 8-bit values. |
| {-1, other} | Integer and underflow vulnerabilities. |
| Ax1024+ | Overflow vulnerabilities. |
| {%n , %x , %s} | Testing for format string vulnerabilities. |
| ../ | Directory Traversal Vulnerabilities. |
| {% , _, *} | Wildcard characters can sometimes present DoS issues or information disclosure. |
These characters can be represented in many different ways (i.e. Unicode). It is important to understand this when restricting input to these character sets.
References:
- Mike Shema - Hack Notes
- w3schools
Found these useful for format string testing as well:
AAAAA%c
AAAAA%d
AAAAA%e
AAAAA%f
AAAAA%I
AAAAA%o
AAAAA%p
AAAAA%s
AAAAA%x
AAAAA%n
Also grugq mentioned that using the “p” character was better than A or 1
good list mate, me likes ;0)
Cheers mate, always appreciate your feedback.
For people interested in format string usage and its character injection possibilities, "man 3 printf" (if your using linux or cygwin) is always useful.