[WEB SECURITY] SQL Injection through "name" field possible?

Nilesh Bhosale nilesh at gslab.com
Tue Feb 1 01:00:01 EST 2011


Thanks Tasos for sharing your thoughts.


On Tuesday 01 February 2011 11:14 AM, Tasos Laskos wrote:
> Any element used by the web application could qualify for this.
> Cookies, headers, URL parameters...
>
> If someone uses their own library to dynamically create SQL queries
> and they just pass a hash
> (which is usually the data-structure of choice for that fort of thing)
> of any of the aforementioned elements
> operating under the confidence that the hash keys (form, cookie, link
> param or headers names) have not been altered then that's your
> practical case right there.
>
> We've all seen far more naive things going on in webapps, this isn't
> so far fetched.
>
> That's true about the XML but if the attribute names go unexamined who
> says that you won't be able to include well-formed XML code in them?
>
> On 01/02/11 05:29, Nilesh Bhosale wrote:
>> Through XMLs it would be much difficult, since any special characters (
>> *, ', ;, \\ etc.) or spaces in XML "element name" or "attribute name"
>> would make it a non-wellformed XML and all the SOAP processors/XML
>> parsers will discard such messages there itself.
>>
>> Can anyone come-up with practical cases making this possible (through
>> XML as well as HTML Forms any other case than I already mentioned)?
>>
>> ~ Nilesh
>>
>> On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
>>> On 01/02/11 05:24, Tasos Laskos wrote:
>>>> Hi,
>>>>
>>>> On 01/02/11 05:03, Nilesh Bhosale wrote:
>>>>> Hi,
>>>>>
>>>>> Generally, SQL injection is possible with the "value" field in a
>>>>> HTML form.
>>>>> I was just wondering if it is practically possible through the "name"
>>>>> field as well.
>>>>>
>>>> Sure it is.
>>>>> Also, for XML or SOAP requests is it possible using "element name" or
>>>>> "attribute name" as opposed to "character data of an element" or
>>>>> "attribute value" which is generally seen.
>>>>>
>>>> Could be...for the same reason as the one you mention bellow but it'd
>>>> find it a more unlikely scenario.
>>>> When you read from XML you usually tend to look for what you want
>>>> specifically.
>>>>> I think SQL injection can happen using the field name, typically if
>>>>> some
>>>>> lazy developers are using the column name in the SQL DB as a
>>>>> "name" in
>>>>> the form and just blindly using the form-field "name" in his SQL
>>>>> INSERT
>>>>> (or so) queries.
>>>>>
>>>> Yep, for that reason exactly.
>>>>> Would like to see your comments on this.
>>>>>
>>>> My comment is that I'm really embarrassed that this hadn't occurred
>>>> to me before you mentioned it.
>>>>> Thanks,
>>>>> Nilesh
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> The Web Security Mailing List
>>>>>
>>>>> WebSecurity RSS Feed
>>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>>
>>>>> Join WASC on LinkedIn
>>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>>
>>>>> WASC on Twitter
>>>>> http://twitter.com/wascupdates
>>>>>
>>>>> websecurity at lists.webappsec.org
>>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>





More information about the websecurity mailing list