SQL Injection Attack Pattern
You have an application that accesses a database and uses input to construct queries. The target application does not use type-safe parameters.
How to execute unauthorized code in the database. For example to reveal sensitive data, perform unauthorized transactions or manipulate or damage the database.
- You want to read or modify data that you would not otherwise have access to.
- You want to cause a database exception which might reveal database information.
- Look for sources of input
- Place sample sql injection attack strings in input locations
- Look for database errors
- If a database error is found, craft attack string to execute the desired sql statement