Cookie based SQL Injection




All data sent by the browser to a Web application, if used in a SQL query, can be manipulated in order to inject SQL code: GET and POST parameters, cookies and other HTTP headers. Some of these values ​​can be found in the environment variables. The GET and POST parameters are typically entered into HTML forms, they can contain hidden fields, i.e. information that is in form but not shown. GET parameters are contained in the URL and POST parameters are passed as HTTP content. Nowadays, and with the growth of Web 2.0 technologies, the GET and POST requests can also be generated by JavaScript.

Injecting malicious code in cookie:

Unlike other parameters, cookies are not supposed to be handled by users. Outside of session cookies which are (usually) random, cookies may contain data in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized information. If we can determine the encoding used, we will attempt to inject SQL commands. Read more about the technique here:

http://resources.infosecinstitute.com/cookie-based-sql-injection/





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Different ways to portscan IPS
    ... Prove to peers and potential employers without a doubt that you can ... a full practical examination in order to become certified. ... Information Assurance Certification Review ...
    (Pen-Test)
  • RE: Different ways to portscan IPS
    ... Prove to peers and potential employers without a doubt that you can ... a full practical examination in order to become certified. ... Information Assurance Certification Review ...
    (Pen-Test)
  • Exploiting IPC$
    ... Prove to peers and potential employers without a doubt that you can ... a full practical examination in order to become certified. ... Information Assurance Certification Review ...
    (Pen-Test)
  • Re: Assessing the security awareness of web users at a national level
    ... IRC, facebook, myspace, etc) or the different attack vectors (e.g. virus ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: career advice
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)