Thanks Tasos for sharing your thoughts. On Tuesday 01 February 2011 11:14 AM, Tasos Laskos wrote: > Any element used by the web application could qualify for this. > Cookies, headers, URL parameters... > > If someone uses their own library to dynamically create SQL queries > and they just pass a hash > (which is usually the data-structure of choice for that fort of thing) > of any of the aforementioned elements > operating under the confidence that the hash keys (form, cookie, link > param or headers names) have not been altered then that's your > practical case right there. > > We've all seen far more naive things going on in webapps, this isn't > so far fetched. > > That's true about the XML but if the attribute names go unexamined who > says that you won't be able to include well-formed XML code in them? > > On 01/02/11 05:29, Nilesh Bhosale wrote: >> Through XMLs it would be much difficult, since any special characters ( >> *, ', ;, \\ etc.) or spaces in XML "element name" or "attribute name" >> would make it a non-wellformed XML and all the SOAP processors/XML >> parsers will discard such messages there itself. >> >> Can anyone come-up with practical cases making this possible (through >> XML as well as HTML Forms any other case than I already mentioned)? >> >> ~ Nilesh >> >> On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote: >>> On 01/02/11 05:24, Tasos Laskos wrote: >>>> Hi, >>>> >>>> On 01/02/11 05:03, Nilesh Bhosale wrote: >>>>> Hi, >>>>> >>>>> Generally, SQL injection is possible with the "value" field in a >>>>> HTML form. >>>>> I was just wondering if it is practically possible through the "name" >>>>> field as well. >>>>> >>>> Sure it is. >>>>> Also, for XML or SOAP requests is it possible using "element name" or >>>>> "attribute name" as opposed to "character data of an element" or >>>>> "attribute value" which is generally seen. >>>>> >>>> Could be...for the same reason as the one you mention bellow but it'd >>>> find it a more unlikely scenario. >>>> When you read from XML you usually tend to look for what you want >>>> specifically. >>>>> I think SQL injection can happen using the field name, typically if >>>>> some >>>>> lazy developers are using the column name in the SQL DB as a >>>>> "name" in >>>>> the form and just blindly using the form-field "name" in his SQL >>>>> INSERT >>>>> (or so) queries. >>>>> >>>> Yep, for that reason exactly. >>>>> Would like to see your comments on this. >>>>> >>>> My comment is that I'm really embarrassed that this hadn't occurred >>>> to me before you mentioned it. >>>>> Thanks, >>>>> Nilesh >>>>> >>>>> >>>>> _______________________________________________ >>>>> The Web Security Mailing List >>>>> >>>>> WebSecurity RSS Feed >>>>> http://www.webappsec.org/rss/websecurity.rss >>>>> >>>>> Join WASC on LinkedIn >>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>>> >>>>> WASC on Twitter >>>>> http://twitter.com/wascupdates >>>>> >>>>> websecurity@lists.webappsec.org >>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>>>> >>>>> >>>>> >>>> >>> >> >> >