SQL Injection Attack Pattern

From Guidance Share
Jump to navigationJump to search


You have an application that accesses a database and uses input to construct queries. The target application does not use type-safe parameters.


How to execute unauthorized code in the database. For example to reveal sensitive data, perform unauthorized transactions or manipulate or damage the database.


  • You want to read or modify data that you would not otherwise have access to.
  • You want to cause a database exception which might reveal database information.


  • Look for sources of input
  • Place sample sql injection attack strings in input locations
  • Look for database errors
  • If a database error is found, craft attack string to execute the desired sql statement