How we did it

We used a pair of Dell PowerEdge 6000 servers running Windows 2000 and Microsoft Internet Information Server 5.0 as the testing platform. The test sites installed used ColdFusion and Active Server Pages for dynamic database access and did not have input sanitization built in. Testing covered exploits such as URL tampering, form-field manipulation, SQL injection and many known IIS server specific exploits. Two other machines on a connected network using automated security audit tools and manual attacks performed testing. A third machine was used as the administration console for altering and configuration where possible. Server interaction was monitored not only at the browser level but the underlying HTTP discussion was monitored to ensure standard interaction between systems.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

We used a pair of Dell PowerEdge 6000 servers running Windows 2000 and Microsoft Internet Information Server 5.0 as the testing platform. The test sites installed used ColdFusion and Active Server Pages for dynamic database access and did not have input sanitization built in. Testing covered exploits such as URL tampering, form-field manipulation, SQL injection and many known IIS server specific exploits. Two other machines on a connected network using automated security audit tools and manual attacks performed testing. A third machine was used as the administration console for altering and configuration where possible. Server interaction was monitored not only at the browser level but the underlying HTTP discussion was monitored to ensure standard interaction between systems.

Read more about security in Network World's Security section.