[WEB SECURITY] SQL Injection through "name" field possible?

PortSwigger mail at portswigger.net
Tue Feb 1 04:29:03 EST 2011


Hi Nilesh

I've seen SQL injection and numerous other kinds of input-based attacks in parameter names. However improbable a mistake might seem, there are always developers willing to make it. I blogged about this here, with some examples taken from real-world engagements:

http://blog.portswigger.net/2008/08/attacking-parameter-names.html

Just to indulge in the self-pimpage, Burp Scanner always checks for input-based attacks within parameter names.

Cheers
PortSwigger

On 1 Feb 2011, at 05:03, Nilesh Bhosale wrote:

> Hi,
> 
> Generally, SQL injection is possible with the "value" field in a HTML form.
> I was just wondering if it is practically possible through the "name"
> field as well.
> 
> Also, for XML or SOAP requests is it possible using "element name" or
> "attribute name" as opposed to "character data of an element" or
> "attribute value" which is generally seen.
> 
> I think SQL injection can happen using the field name, typically if some
> lazy developers are using the column name in the SQL DB as a "name" in
> the form and just blindly using the form-field "name" in his SQL INSERT
> (or so) queries.
> 
> Would like to see your comments on this.
> 
> Thanks,
> Nilesh
> 
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org





More information about the websecurity mailing list