[WEB SECURITY] SQL Injection through "name" field possible?

Nilesh Bhosale nilesh at gslab.com
Tue Feb 1 00:29:48 EST 2011


Through XMLs it would be much difficult, since any special characters (
*, ', ;, \\ etc.) or spaces in XML "element name" or "attribute name"
would make it a non-wellformed XML and all the SOAP processors/XML
parsers will discard such messages there itself.

Can anyone come-up with practical cases making this possible (through
XML as well as HTML Forms any other case than I already mentioned)?

~ Nilesh

On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
> On 01/02/11 05:24, Tasos Laskos wrote:
>> Hi,
>>
>> On 01/02/11 05:03, Nilesh Bhosale wrote:
>>> Hi,
>>>
>>> Generally, SQL injection is possible with the "value" field in a
>>> HTML form.
>>> I was just wondering if it is practically possible through the "name"
>>> field as well.
>>>
>> Sure it is.
>>> Also, for XML or SOAP requests is it possible using "element name" or
>>> "attribute name" as opposed to "character data of an element" or
>>> "attribute value" which is generally seen.
>>>
>> Could be...for the same reason as the one you mention bellow but it'd
>> find it a more unlikely scenario.
>> When you read from XML you usually tend to look for what you want
>> specifically.
>>> I think SQL injection can happen using the field name, typically if
>>> some
>>> lazy developers are using the column name in the SQL DB as a "name" in
>>> the form and just blindly using the form-field "name" in his SQL INSERT
>>> (or so) queries.
>>>
>> Yep, for that reason exactly.
>>> Would like to see your comments on this.
>>>
>> My comment is that I'm really embarrassed that this hadn't occurred
>> to me before you mentioned it.
>>> Thanks,
>>> Nilesh
>>>
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>
>>>
>>
>





More information about the websecurity mailing list