SQL Injection Attack Pattern

From Guidance Share

Jump to: navigation, search


Context

You have an application that accesses a database and uses input to construct queries. The target application does not use type-safe parameters.


Problem

How to execute unauthorized code in the database. For example to reveal sensitive data, perform unauthorized transactions or manipulate or damage the database.


Forces

  • You want to read or modify data that you would not otherwise have access to.
  • You want to cause a database exception which might reveal database information.


Solution

  • Look for sources of input
  • Place sample sql injection attack strings in input locations
  • Look for database errors
  • If a database error is found, craft attack string to execute the desired sql statement
Personal tools