I am writing an automatic tester for our web application's API. Im trying to break it and expose flaws. So far I am trying:
- missing parameters
- additional "guess" parameters (ex:
admin=1
) - malicious parameters: sending something like
eval("echo 'injection';");
all encoded in%
encoding - other classic SQL injection attacks like
OR 1=1
, comments--
I'm not really trying to go for stuff like drop tables, I dont want to damage our test environment. All of my attacks are more aimed at printing messages so I know I got around our security without deleting information.