Hi,
Generally, SQL injection is possible with the "value" field in a HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
I think SQL injection can happen using the field name, typically if some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Would like to see your comments on this.
Thanks,
Nilesh
Hi Nilesh
I've seen SQL injection and numerous other kinds of input-based attacks in parameter names. However improbable a mistake might seem, there are always developers willing to make it. I blogged about this here, with some examples taken from real-world engagements:
http://blog.portswigger.net/2008/08/attacking-parameter-names.html
Just to indulge in the self-pimpage, Burp Scanner always checks for input-based attacks within parameter names.
Cheers
PortSwigger
On 1 Feb 2011, at 05:03, Nilesh Bhosale wrote:
Hi,
Generally, SQL injection is possible with the "value" field in a HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
I think SQL injection can happen using the field name, typically if some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Would like to see your comments on this.
Thanks,
Nilesh
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
As PortSwigger noted - the Name of a key=value pair should always be
tested the same as a Value for syntax-attacks.
In general the Name will tend to be the less exploitable of the
Name=Value pair. But, in some modern IDEs the developers will strongly
validate the Value, but the Name is not exposed to validation as
easily/obviously as the Value.
So if they use arbitrarily generated/modified Names in queries, HTML,
XML, path traversal calls, etc., all of your usual suspects for attack
may work.
Also - suffixing your attack to the name tends to work better than
prefixing or name-replacement. Many apps allow a Name construct where
new like-names can be (or are already) dynamically generated like
Name1, Name2, NameSomething, etc. and loosely allow a range of chars
after Name[metachars].
Arian Evans
On Tue, Feb 1, 2011 at 1:29 AM, PortSwigger mail@portswigger.net wrote:
Hi Nilesh
I've seen SQL injection and numerous other kinds of input-based attacks in parameter names. However improbable a mistake might seem, there are always developers willing to make it. I blogged about this here, with some examples taken from real-world engagements:
http://blog.portswigger.net/2008/08/attacking-parameter-names.html
Just to indulge in the self-pimpage, Burp Scanner always checks for input-based attacks within parameter names.
Cheers
PortSwigger
On 1 Feb 2011, at 05:03, Nilesh Bhosale wrote:
Hi,
Generally, SQL injection is possible with the "value" field in a HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
I think SQL injection can happen using the field name, typically if some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Would like to see your comments on this.
Thanks,
Nilesh
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Generally, SQL injection is possible with the "value" field in a HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
Sorry man but Little Boby's name would go in the value part of the form
not the name. ;)
On 02/02/11 01:40, Matthew Zimmerman wrote:
Generally, SQL injection is possible with the "value" field in a HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
To be fair, at first blush the casual reader could easily confuse the
content of this thread, transposing the question of testing Name=Value
for Value=Name.
I, for one, am not the only lysdexic person on this list.
In latter years I have learned we all benefit from channeling the
patient and benevolent persona of Amit Klein, :)
Arian Evans
Software Security Sophistry
On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos tasos.laskos@gmail.com wrote:
Sorry man but Little Boby's name would go in the value part of the form not
the name. ;)
On 02/02/11 01:40, Matthew Zimmerman wrote:
Generally, SQL injection is possible with the "value" field in a HTML
form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Foreigner here and Google returns a bunch of Amit Kleins.
<thick accent> Who is this Amit Klein you speak of?</thick accent>
On 02/02/11 04:18, Arian J. Evans wrote:
To be fair, at first blush the casual reader could easily confuse the
content of this thread, transposing the question of testing Name=Value
for Value=Name.
I, for one, am not the only lysdexic person on this list.
In latter years I have learned we all benefit from channeling the
patient and benevolent persona of Amit Klein, :)
Arian Evans
Software Security Sophistry
On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskostasos.laskos@gmail.com wrote:
Sorry man but Little Boby's name would go in the value part of the form not
the name. ;)
On 02/02/11 01:40, Matthew Zimmerman wrote:
Generally, SQL injection is possible with the "value" field in a HTML
form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Will the real Amit Klein please stand up ;-)
That would be me. Yes, there are few people out there with the same
name (note to future parents: Google suggested offspring names), but
AFAIK I'm the only one meddling with infosec.
And thanks to Arian for saving my name from oblivion, and to others
who said good things about me in this thread ;-)
Best,
-Amit
On Wed, Feb 2, 2011 at 6:26 AM, Tasos Laskos tasos.laskos@gmail.com wrote:
Foreigner here and Google returns a bunch of Amit Kleins.
<thick accent> Who is this Amit Klein you speak of?</thick accent>
On 02/02/11 04:18, Arian J. Evans wrote:
To be fair, at first blush the casual reader could easily confuse the
content of this thread, transposing the question of testing Name=Value
for Value=Name.
I, for one, am not the only lysdexic person on this list.
In latter years I have learned we all benefit from channeling the
patient and benevolent persona of Amit Klein, :)
Arian Evans
Software Security Sophistry
On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskostasos.laskos@gmail.com
wrote:
Sorry man but Little Boby's name would go in the value part of the form
not
the name. ;)
On 02/02/11 01:40, Matthew Zimmerman wrote:
Generally, SQL injection is possible with the "value" field in a HTML
form.
I was just wondering if it is practically possible through the "name"
field as well.
I'm actually a little ashamed of this entire list for not mentioning
this already. Has no one heard of Little Bobby Tables?
http://xkcd.com/327/
Matt Zimmeran
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org