RE: sql injection: url or form based?

Don't let anybody confuse you. They are pretty much the same thing.

"Form based" can be considered a generic name
because forms use either the GET or POST
HTTP methods. If GET is used, then your SQL
injection ends up in the URL. If POST is used,
then the form data along with your injected data
is passed in the body of your HTTP request.

The difference is only in the way the injected
data is transported to the victim. Some webapps
accept form data through both GET and POST
requests, which sometimes can be used to evade
network-based detection systems if they are expecting
form data only in get requests. Even if they do
check POST requests there's a possibility that
they don't handle all different encodings of POST
data.

Kyle

-----Original Message-----
From: johnny Mnemonic [mailto:security4thefainthearted@xxxxxxxxxxx]
Sent: Friday, February 10, 2006 1:07 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: sql injection: url or form based?


I see many references to manipulation of SQL backend databases through both
URL based and Forms based SQL injection but I'm wondering what are the
essentials differences between both methods and when to use one over the
other.
Thanks.


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Relevant Pages

  • Re: Slow down blind SQL injection
    ... "User1234 session start 3 min ago; delay between requests <1second ... happens lots you can assume there might be automation tools involved. ... with blind sql injection then the chances are high that somewhere else ... Slow down blind SQL injection ...
    (Security-Basics)
  • RE: autopostback vs submit?
    ... If the user presses the Submit button, you should process the form data in a ... CommandEventArgs) Handles Button1.Command ... you can leave the page load event only for processing ... actions common to all requests or to actions specific to the first request of ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: File Uploads
    ... You are instantiating cgi.FieldStorage twice. ... requests, because instantiating a FieldStorage reads the form data from ... Try to create a second one and cgi will try to read all the form data ...
    (comp.lang.python)
  • Re: question about validation and sql injection
    ... Again nothing to do with sql injection. ... Simply run any variable that will be part of a query through ... the best bet is to read in your form data like this.... ... mysql_real_escape_string on that var. ...
    (php.general)
  • Re: How to read POSTed data
    ... It looks to me like it always expects form data ... Then this data is sent to the standard input of the CGI script. ... about the management of data sent by POST requests). ...
    (comp.lang.python)
Loading