RE: sql injection: url or form based?

["Kyle Quest" <Kyle.Quest () networkengines com>]

Don't let anybody confuse you. They are pretty much the same thing.

"Form based" can be considered a generic name
because forms use either the GET or POST 
HTTP methods. If GET is used, then your SQL 
injection ends up in the URL. If POST is used,
then the form data along with your injected data
is passed in the body of your HTTP request.

The difference is only in the way the injected
data is transported to the victim. Some webapps
accept form data through both GET and POST
requests, which sometimes can be used to evade
network-based detection systems if they are expecting
form data only in get requests. Even if they do
check POST requests there's a possibility that
they don't handle all different encodings of POST
data.

Kyle

-----Original Message-----
From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com]
Sent: Friday, February 10, 2006 1:07 AM
To: pen-test () securityfocus com
Subject: sql injection: url or form based? 


I see many references to manipulation of SQL backend databases through both 
URL based and Forms based SQL injection but I'm wondering what are the 
essentials differences between both methods and when to use one over the 
other.
Thanks.


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------