[WEB SECURITY] SQL Injection through "name" field possible?

James Manico jim at manico.net
Tue Feb 1 07:06:18 EST 2011


You just XML encode your attack. Many XML libraries auto-decode as you
pull data from the XML.

-Jim Manico
http://manico.net

On Jan 31, 2011, at 11:33 PM, Nilesh Bhosale <nilesh at gslab.com> wrote:

> Through XMLs it would be much difficult, since any special characters (
> *, ', ;, \\ etc.) or spaces in XML "element name" or "attribute name"
> would make it a non-wellformed XML and all the SOAP processors/XML
> parsers will discard such messages there itself.
>
> Can anyone come-up with practical cases making this possible (through
> XML as well as HTML Forms any other case than I already mentioned)?
>
> ~ Nilesh
>
> On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
>> On 01/02/11 05:24, Tasos Laskos wrote:
>>> Hi,
>>>
>>> On 01/02/11 05:03, Nilesh Bhosale wrote:
>>>> Hi,
>>>>
>>>> Generally, SQL injection is possible with the "value" field in a
>>>> HTML form.
>>>> I was just wondering if it is practically possible through the "name"
>>>> field as well.
>>>>
>>> Sure it is.
>>>> Also, for XML or SOAP requests is it possible using "element name" or
>>>> "attribute name" as opposed to "character data of an element" or
>>>> "attribute value" which is generally seen.
>>>>
>>> Could be...for the same reason as the one you mention bellow but it'd
>>> find it a more unlikely scenario.
>>> When you read from XML you usually tend to look for what you want
>>> specifically.
>>>> I think SQL injection can happen using the field name, typically if
>>>> some
>>>> lazy developers are using the column name in the SQL DB as a "name" in
>>>> the form and just blindly using the form-field "name" in his SQL INSERT
>>>> (or so) queries.
>>>>
>>> Yep, for that reason exactly.
>>>> Would like to see your comments on this.
>>>>
>>> My comment is that I'm really embarrassed that this hadn't occurred
>>> to me before you mentioned it.
>>>> Thanks,
>>>> Nilesh
>>>>
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list