• United States
by Thomas Powell, Network World Global Test Alliance

How we did it

Aug 18, 20031 min

We used a pair of Dell PowerEdge 6000 servers running Windows 2000 and Microsoft Internet Information Server 5.0 as the testing platform. The test sites installed used ColdFusion and Active Server Pages for dynamic database access and did not have input sanitization built in. Testing covered exploits such as URL tampering, form-field manipulation, SQL injection and many known IIS server specific exploits. Two other machines on a connected network using automated security audit tools and manual attacks performed testing. A third machine was used as the administration console for altering and configuration where possible. Server interaction was monitored not only at the browser level but the underlying HTTP discussion was monitored to ensure standard interaction between systems.