Penetration Testing mailing list archives
RE: sql injection: url or form based?
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 10 Feb 2006 11:27:45 -0600
It is all the same. SQL Injection occurs because an application takes a piece of data from the user and concatenates it into a string to execute. This could be a URL parameter, a form value, even a cookie. Yep, some portals build queries off of the cookies to decide what to show you off of where you've been (what cookies are set). Anyway, the attack vector isn't that important. Spend some time reading here: www.owasp.org www.webappsec.org NGS and SPI Dynamics have SQL Injection whitepapers you should read, and I think they are all linked off of the WASC site above. If you want to learn from code, most developer portals like the Code Project will have several articles geared towards your language/database of choice. -ae
-----Original Message----- From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com] Sent: Friday, February 10, 2006 12:07 AM To: pen-test () securityfocus com Subject: sql injection: url or form based? I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but I'm wondering what are the essentials differences between both methods and when to use one over the other. Thanks. _________________________________________________________________ Get cheap fares online with MSN Travel http://www.msn.com.sg/travel/ -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- sql injection: url or form based? johnny Mnemonic (Feb 10)
- Re: sql injection: url or form based? FocusHacks (Feb 10)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? Brian Rectanus (Feb 11)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? dork (Feb 10)
- Re: sql injection: url or form based? AdamT (Feb 10)
- <Possible follow-ups>
- RE: sql injection: url or form based? Evans, Arian (Feb 10)
- RE: sql injection: url or form based? Kyle Quest (Feb 10)
- RE: sql injection: url or form based? LAROUCHE Francois (Feb 13)
- Re: sql injection: url or form based? FocusHacks (Feb 10)