Penetration Testing mailing list archives
RE: sql injection: url or form based?
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Fri, 10 Feb 2006 11:39:48 -0500
Don't let anybody confuse you. They are pretty much the same thing. "Form based" can be considered a generic name because forms use either the GET or POST HTTP methods. If GET is used, then your SQL injection ends up in the URL. If POST is used, then the form data along with your injected data is passed in the body of your HTTP request. The difference is only in the way the injected data is transported to the victim. Some webapps accept form data through both GET and POST requests, which sometimes can be used to evade network-based detection systems if they are expecting form data only in get requests. Even if they do check POST requests there's a possibility that they don't handle all different encodings of POST data. Kyle -----Original Message----- From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com] Sent: Friday, February 10, 2006 1:07 AM To: pen-test () securityfocus com Subject: sql injection: url or form based? I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but I'm wondering what are the essentials differences between both methods and when to use one over the other. Thanks. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- sql injection: url or form based? johnny Mnemonic (Feb 10)
- Re: sql injection: url or form based? FocusHacks (Feb 10)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? Brian Rectanus (Feb 11)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? dork (Feb 10)
- Re: sql injection: url or form based? AdamT (Feb 10)
- <Possible follow-ups>
- RE: sql injection: url or form based? Evans, Arian (Feb 10)
- RE: sql injection: url or form based? Kyle Quest (Feb 10)
- RE: sql injection: url or form based? LAROUCHE Francois (Feb 13)
- Re: sql injection: url or form based? FocusHacks (Feb 10)