[WEB SECURITY] SQL Injection through "name" field possible?

Arian J. Evans arian.evans at anachronic.com
Tue Feb 1 13:17:10 EST 2011


As PortSwigger noted - the Name of a key=value pair should always be
tested the same as a Value for syntax-attacks.

In general the Name will tend to be the less exploitable of the
Name=Value pair. But, in some modern IDEs the developers will strongly
validate the Value, but the Name is not exposed to validation as
easily/obviously as the Value.

So if they use arbitrarily generated/modified Names in queries, HTML,
XML, path traversal calls, etc., all of your usual suspects for attack
may work.

Also - suffixing your attack to the name tends to work better than
prefixing or name-replacement. Many apps allow a Name construct where
new like-names can be (or are already) dynamically generated like
Name1, Name2, NameSomething, etc. and loosely allow a range of chars
after Name[metachars].

---
Arian Evans



On Tue, Feb 1, 2011 at 1:29 AM, PortSwigger <mail at portswigger.net> wrote:
> Hi Nilesh
>
> I've seen SQL injection and numerous other kinds of input-based attacks in parameter names. However improbable a mistake might seem, there are always developers willing to make it. I blogged about this here, with some examples taken from real-world engagements:
>
> http://blog.portswigger.net/2008/08/attacking-parameter-names.html
>
> Just to indulge in the self-pimpage, Burp Scanner always checks for input-based attacks within parameter names.
>
> Cheers
> PortSwigger
>
> On 1 Feb 2011, at 05:03, Nilesh Bhosale wrote:
>
>> Hi,
>>
>> Generally, SQL injection is possible with the "value" field in a HTML form.
>> I was just wondering if it is practically possible through the "name"
>> field as well.
>>
>> Also, for XML or SOAP requests is it possible using "element name" or
>> "attribute name" as opposed to "character data of an element" or
>> "attribute value" which is generally seen.
>>
>> I think SQL injection can happen using the field name, typically if some
>> lazy developers are using the column name in the SQL DB as a "name" in
>> the form and just blindly using the form-field "name" in his SQL INSERT
>> (or so) queries.
>>
>> Would like to see your comments on this.
>>
>> Thanks,
>> Nilesh
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list