I am using acunetix to perform part of the security audit on the incoming website. The application is mainly developed with PHP and MySql.
All user input is escaped, but some input parameters (mainly URL parameters) remain partially uninsulated: I can still send the operator "*" in the string parameter. Acunetix raises a warning because of this:
Attack details
The URL-encoded POST URL was set to 417 * 1 * 1 * 1 * 1 * 1 * 1 *
Tests completed:
648' => ERROR
648'' => ERROR
883*1*1* => ERROR
545*1*1*1*1 => OK
965*1*1*1*1* => ERROR
880*1*1*1*1*1*1 => OK
417*1*1*1*1*1*1* => ERROR
, : , , ( , ) ? : ?