[WEB SECURITY] SQL Injection through "name" field possible?

Tasos Laskos tasos.laskos at gmail.com
Tue Feb 1 00:44:36 EST 2011

Any element used by the web application could qualify for this.
Cookies, headers, URL parameters...

If someone uses their own library to dynamically create SQL queries and 
they just pass a hash
(which is usually the data-structure of choice for that fort of thing) 
of any of the aforementioned elements
operating under the confidence that the hash keys (form, cookie, link 
param or headers names) have not been altered then that's your practical 
case right there.

We've all seen far more naive things going on in webapps, this isn't so 
far fetched.

That's true about the XML but if the attribute names go unexamined who 
says that you won't be able to include well-formed XML code in them?

On 01/02/11 05:29, Nilesh Bhosale wrote:
> Through XMLs it would be much difficult, since any special characters (
> *, ', ;, \\ etc.) or spaces in XML "element name" or "attribute name"
> would make it a non-wellformed XML and all the SOAP processors/XML
> parsers will discard such messages there itself.
> Can anyone come-up with practical cases making this possible (through
> XML as well as HTML Forms any other case than I already mentioned)?
> ~ Nilesh
> On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
>> On 01/02/11 05:24, Tasos Laskos wrote:
>>> Hi,
>>> On 01/02/11 05:03, Nilesh Bhosale wrote:
>>>> Hi,
>>>> Generally, SQL injection is possible with the "value" field in a
>>>> HTML form.
>>>> I was just wondering if it is practically possible through the "name"
>>>> field as well.
>>> Sure it is.
>>>> Also, for XML or SOAP requests is it possible using "element name" or
>>>> "attribute name" as opposed to "character data of an element" or
>>>> "attribute value" which is generally seen.
>>> Could be...for the same reason as the one you mention bellow but it'd
>>> find it a more unlikely scenario.
>>> When you read from XML you usually tend to look for what you want
>>> specifically.
>>>> I think SQL injection can happen using the field name, typically if
>>>> some
>>>> lazy developers are using the column name in the SQL DB as a "name" in
>>>> the form and just blindly using the form-field "name" in his SQL INSERT
>>>> (or so) queries.
>>> Yep, for that reason exactly.
>>>> Would like to see your comments on this.
>>> My comment is that I'm really embarrassed that this hadn't occurred
>>> to me before you mentioned it.
>>>> Thanks,
>>>> Nilesh
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list