SQL Injection Attack Pattern

Context

You have an application that accesses a database and uses input to construct queries. The target application does not use type-safe parameters.

Problem

How to execute unauthorized code in the database. For example to reveal sensitive data, perform unauthorized transactions or manipulate or damage the database.

Forces

• You want to read or modify data that you would not otherwise have access to.
• You want to cause a database exception which might reveal database information.

Solution

• Look for sources of input
• Place sample sql injection attack strings in input locations
• Look for database errors
• If a database error is found, craft attack string to execute the desired sql statement