Hi, Generally, SQL injection is possible with the "value" field in a HTML form. I was just wondering if it is practically possible through the "name" field as well. Also, for XML or SOAP requests is it possible using "element name" or "attribute name" as opposed to "character data of an element" or "attribute value" which is generally seen. I think SQL injection can happen using the field name, typically if some lazy developers are using the column name in the SQL DB as a "name" in the form and just blindly using the form-field "name" in his SQL INSERT (or so) queries. Would like to see your comments on this. Thanks, Nilesh

Hi Nilesh I've seen SQL injection and numerous other kinds of input-based attacks in parameter names. However improbable a mistake might seem, there are always developers willing to make it. I blogged about this here, with some examples taken from real-world engagements: http://blog.portswigger.net/2008/08/attacking-parameter-names.html Just to indulge in the self-pimpage, Burp Scanner always checks for input-based attacks within parameter names. Cheers PortSwigger On 1 Feb 2011, at 05:03, Nilesh Bhosale wrote: > Hi, > > Generally, SQL injection is possible with the "value" field in a HTML form. > I was just wondering if it is practically possible through the "name" > field as well. > > Also, for XML or SOAP requests is it possible using "element name" or > "attribute name" as opposed to "character data of an element" or > "attribute value" which is generally seen. > > I think SQL injection can happen using the field name, typically if some > lazy developers are using the column name in the SQL DB as a "name" in > the form and just blindly using the form-field "name" in his SQL INSERT > (or so) queries. > > Would like to see your comments on this. > > Thanks, > Nilesh > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

As PortSwigger noted - the Name of a key=value pair should always be tested the same as a Value for syntax-attacks. In general the Name will tend to be the less exploitable of the Name=Value pair. But, in some modern IDEs the developers will strongly validate the Value, but the Name is not exposed to validation as easily/obviously as the Value. So if they use arbitrarily generated/modified Names in queries, HTML, XML, path traversal calls, etc., all of your usual suspects for attack may work. Also - suffixing your attack to the name tends to work better than prefixing or name-replacement. Many apps allow a Name construct where new like-names can be (or are already) dynamically generated like Name1, Name2, NameSomething, etc. and loosely allow a range of chars after Name[metachars]. --- Arian Evans On Tue, Feb 1, 2011 at 1:29 AM, PortSwigger <mail@portswigger.net> wrote: > Hi Nilesh > > I've seen SQL injection and numerous other kinds of input-based attacks in parameter names. However improbable a mistake might seem, there are always developers willing to make it. I blogged about this here, with some examples taken from real-world engagements: > > http://blog.portswigger.net/2008/08/attacking-parameter-names.html > > Just to indulge in the self-pimpage, Burp Scanner always checks for input-based attacks within parameter names. > > Cheers > PortSwigger > > On 1 Feb 2011, at 05:03, Nilesh Bhosale wrote: > >> Hi, >> >> Generally, SQL injection is possible with the "value" field in a HTML form. >> I was just wondering if it is practically possible through the "name" >> field as well. >> >> Also, for XML or SOAP requests is it possible using "element name" or >> "attribute name" as opposed to "character data of an element" or >> "attribute value" which is generally seen. >> >> I think SQL injection can happen using the field name, typically if some >> lazy developers are using the column name in the SQL DB as a "name" in >> the form and just blindly using the form-field "name" in his SQL INSERT >> (or so) queries. >> >> Would like to see your comments on this. >> >> Thanks, >> Nilesh >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

> Generally, SQL injection is possible with the "value" field in a HTML form. > I was just wondering if it is practically possible through the "name" > field as well. I'm actually a little ashamed of this entire list for not mentioning this already. Has no one heard of Little Bobby Tables? http://xkcd.com/327/ Matt Zimmeran

Sorry man but Little Boby's name would go in the value part of the form not the name. ;) On 02/02/11 01:40, Matthew Zimmerman wrote: >> Generally, SQL injection is possible with the "value" field in a HTML form. >> I was just wondering if it is practically possible through the "name" >> field as well. > > I'm actually a little ashamed of this entire list for not mentioning > this already. Has no one heard of Little Bobby Tables? > http://xkcd.com/327/ > > Matt Zimmeran > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

To be fair, at first blush the casual reader could easily confuse the content of this thread, transposing the question of testing Name=Value for Value=Name. I, for one, am not the only lysdexic person on this list. In latter years I have learned we all benefit from channeling the patient and benevolent persona of Amit Klein, :) --- Arian Evans Software Security Sophistry On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos <tasos.laskos@gmail.com> wrote: > Sorry man but Little Boby's name would go in the value part of the form not > the name. ;) > > On 02/02/11 01:40, Matthew Zimmerman wrote: >>> >>> Generally, SQL injection is possible with the "value" field in a HTML >>> form. >>> I was just wondering if it is practically possible through the "name" >>> field as well. >> >> I'm actually a little ashamed of this entire list for not mentioning >> this already.  Has no one heard of Little Bobby Tables? >> http://xkcd.com/327/ >> >> Matt Zimmeran >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

Foreigner here and Google returns a bunch of Amit Kleins. <thick accent> Who is this Amit Klein you speak of?</thick accent> On 02/02/11 04:18, Arian J. Evans wrote: > To be fair, at first blush the casual reader could easily confuse the > content of this thread, transposing the question of testing Name=Value > for Value=Name. > > I, for one, am not the only lysdexic person on this list. > > In latter years I have learned we all benefit from channeling the > patient and benevolent persona of Amit Klein, :) > > --- > Arian Evans > Software Security Sophistry > > > On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos<tasos.laskos@gmail.com> wrote: >> Sorry man but Little Boby's name would go in the value part of the form not >> the name. ;) >> >> On 02/02/11 01:40, Matthew Zimmerman wrote: >>>> >>>> Generally, SQL injection is possible with the "value" field in a HTML >>>> form. >>>> I was just wondering if it is practically possible through the "name" >>>> field as well. >>> >>> I'm actually a little ashamed of this entire list for not mentioning >>> this already. Has no one heard of Little Bobby Tables? >>> http://xkcd.com/327/ >>> >>> Matt Zimmeran >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >

Will the real Amit Klein please stand up ;-) That would be me. Yes, there are few people out there with the same name (note to future parents: Google suggested offspring names), but AFAIK I'm the only one meddling with infosec. And thanks to Arian for saving my name from oblivion, and to others who said good things about me in this thread ;-) Best, -Amit On Wed, Feb 2, 2011 at 6:26 AM, Tasos Laskos <tasos.laskos@gmail.com> wrote: > Foreigner here and Google returns a bunch of Amit Kleins. > <thick accent> Who is this Amit Klein you speak of?</thick accent> > > On 02/02/11 04:18, Arian J. Evans wrote: >> >> To be fair, at first blush the casual reader could easily confuse the >> content of this thread, transposing the question of testing Name=Value >> for Value=Name. >> >> I, for one, am not the only lysdexic person on this list. >> >> In latter years I have learned we all benefit from channeling the >> patient and benevolent persona of Amit Klein, :) >> >> --- >> Arian Evans >> Software Security Sophistry >> >> >> On Tue, Feb 1, 2011 at 7:19 PM, Tasos Laskos<tasos.laskos@gmail.com> >>  wrote: >>> >>> Sorry man but Little Boby's name would go in the value part of the form >>> not >>> the name. ;) >>> >>> On 02/02/11 01:40, Matthew Zimmerman wrote: >>>>> >>>>> Generally, SQL injection is possible with the "value" field in a HTML >>>>> form. >>>>> I was just wondering if it is practically possible through the "name" >>>>> field as well. >>>> >>>> I'm actually a little ashamed of this entire list for not mentioning >>>> this already.  Has no one heard of Little Bobby Tables? >>>> http://xkcd.com/327/ >>>> >>>> Matt Zimmeran >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> >>>> >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>>> >>> >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> >> > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >