SQL Injection Attack Pattern

From Guidance Share
Revision as of 06:26, 11 December 2007 by JD (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search


Context

You have an application that accesses a database and uses input to construct queries. The target application does not use type-safe parameters.


Problem

How to execute unauthorized code in the database. For example to reveal sensitive data, perform unauthorized transactions or manipulate or damage the database.


Forces

  • You want to read or modify data that you would not otherwise have access to.
  • You want to cause a database exception which might reveal database information.


Solution

  • Look for sources of input
  • Place sample sql injection attack strings in input locations
  • Look for database errors
  • If a database error is found, craft attack string to execute the desired sql statement