Re: [WEB SECURITY] SQL Injection through "name" field possible?
On 01/02/11 05:24, Tasos Laskos wrote:
Hi,
On 01/02/11 05:03, Nilesh Bhosale wrote:
Hi,
Generally, SQL injection is possible with the "value" field in a HTML
form.
I was just wondering if it is practically possible through the "name"
field as well.
Sure it is.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
Could be...for the same reason as the one you mention bellow but it'd
find it a more unlikely scenario.
When you read from XML you usually tend to look for what you want
specifically.
I think SQL injection can happen using the field name, typically if some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Yep, for that reason exactly.
Would like to see your comments on this.
My comment is that I'm really embarrassed that this hadn't occurred to
me before you mentioned it.
Thanks,
Nilesh
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Through XMLs it would be much difficult, since any special characters (
*, ', ;, \ etc.) or spaces in XML "element name" or "attribute name"
would make it a non-wellformed XML and all the SOAP processors/XML
parsers will discard such messages there itself.
Can anyone come-up with practical cases making this possible (through
XML as well as HTML Forms any other case than I already mentioned)?
~ Nilesh
On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
On 01/02/11 05:24, Tasos Laskos wrote:
Hi,
On 01/02/11 05:03, Nilesh Bhosale wrote:
Hi,
Generally, SQL injection is possible with the "value" field in a
HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
Sure it is.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
Could be...for the same reason as the one you mention bellow but it'd
find it a more unlikely scenario.
When you read from XML you usually tend to look for what you want
specifically.
I think SQL injection can happen using the field name, typically if
some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Yep, for that reason exactly.
Would like to see your comments on this.
My comment is that I'm really embarrassed that this hadn't occurred
to me before you mentioned it.
Thanks,
Nilesh
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Any element used by the web application could qualify for this.
Cookies, headers, URL parameters...
If someone uses their own library to dynamically create SQL queries and
they just pass a hash
(which is usually the data-structure of choice for that fort of thing)
of any of the aforementioned elements
operating under the confidence that the hash keys (form, cookie, link
param or headers names) have not been altered then that's your practical
case right there.
We've all seen far more naive things going on in webapps, this isn't so
far fetched.
That's true about the XML but if the attribute names go unexamined who
says that you won't be able to include well-formed XML code in them?
On 01/02/11 05:29, Nilesh Bhosale wrote:
Through XMLs it would be much difficult, since any special characters (
*, ', ;, \ etc.) or spaces in XML "element name" or "attribute name"
would make it a non-wellformed XML and all the SOAP processors/XML
parsers will discard such messages there itself.
Can anyone come-up with practical cases making this possible (through
XML as well as HTML Forms any other case than I already mentioned)?
~ Nilesh
On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
On 01/02/11 05:24, Tasos Laskos wrote:
Hi,
On 01/02/11 05:03, Nilesh Bhosale wrote:
Hi,
Generally, SQL injection is possible with the "value" field in a
HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
Sure it is.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
Could be...for the same reason as the one you mention bellow but it'd
find it a more unlikely scenario.
When you read from XML you usually tend to look for what you want
specifically.
I think SQL injection can happen using the field name, typically if
some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Yep, for that reason exactly.
Would like to see your comments on this.
My comment is that I'm really embarrassed that this hadn't occurred
to me before you mentioned it.
Thanks,
Nilesh
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
You just XML encode your attack. Many XML libraries auto-decode as you
pull data from the XML.
-Jim Manico
http://manico.net
On Jan 31, 2011, at 11:33 PM, Nilesh Bhosale nilesh@gslab.com wrote:
Through XMLs it would be much difficult, since any special characters (
*, ', ;, \ etc.) or spaces in XML "element name" or "attribute name"
would make it a non-wellformed XML and all the SOAP processors/XML
parsers will discard such messages there itself.
Can anyone come-up with practical cases making this possible (through
XML as well as HTML Forms any other case than I already mentioned)?
~ Nilesh
On Tuesday 01 February 2011 10:54 AM, Tasos Laskos wrote:
On 01/02/11 05:24, Tasos Laskos wrote:
Hi,
On 01/02/11 05:03, Nilesh Bhosale wrote:
Hi,
Generally, SQL injection is possible with the "value" field in a
HTML form.
I was just wondering if it is practically possible through the "name"
field as well.
Sure it is.
Also, for XML or SOAP requests is it possible using "element name" or
"attribute name" as opposed to "character data of an element" or
"attribute value" which is generally seen.
Could be...for the same reason as the one you mention bellow but it'd
find it a more unlikely scenario.
When you read from XML you usually tend to look for what you want
specifically.
I think SQL injection can happen using the field name, typically if
some
lazy developers are using the column name in the SQL DB as a "name" in
the form and just blindly using the form-field "name" in his SQL INSERT
(or so) queries.
Yep, for that reason exactly.
Would like to see your comments on this.
My comment is that I'm really embarrassed that this hadn't occurred
to me before you mentioned it.
Thanks,
Nilesh
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org