1. SQL Injection. Currently, if a login form is vulnerable to SQL injection, how would one test for it? Other than supplying an invalid response to the server to generate a syntax error and continuing from there onwards with the ...OR '1'='1' command, is there any way of viewing the page source and determining if it has allowed commands which are not supposed to be there?

2. For the TCP/IP 3-way-handshake, it's not safe in the sense that nmap is still dumps packets on the scanning target. XMAS and FTP bounce scans don't really fit the criteria of actually masking the attempt (short of deassembiling the packets). Other than -sD function, are there less intrusive ways of scanning? I've heard of idle scanning or shooting off packets every 5 hours, but surely there has to be a better way than relying on decoys.

3. Exactly how much of (additional)security does SSL provide? From what I've read, it's nothing more than a marginal piece of security on top of data tunnels.

4. Is it possible to configure an IDS to reset or drop packets which have malware payload on them, before the packets arrive and are executed?

5. Reverse-shell/Shell shoveling with NetCat. Given that a tunnel exists between A and B, how would A cause B to spawn a shell on A if all connections inwards to B has been filtered/blocked?

6. Cookie poisoning. From what I've read, it involves forging a cookie that a webpage allows, and using that cookie to acess the webpage without a password. Arn't there defences which can prevent this from happening?

It's a tough learning curve for a script kiddie... >_<