[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Cookie based SQL Injection
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Cookie based SQL Injection
- From: "Adam Behnke" <adam@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Mar 2012 14:28:51 -0600
All data sent by the browser to a Web application, if used in a SQL query, can
be manipulated in order to inject SQL code: GET and POST parameters, cookies
and other HTTP headers. Some of these values can be found in the environment
variables. The GET and POST parameters are typically entered into HTML forms,
they can contain hidden fields, i.e. information that is in form but not shown.
GET parameters are contained in the URL and POST parameters are passed as HTTP
content. Nowadays, and with the growth of Web 2.0 technologies, the GET and
POST requests can also be generated by JavaScript.
Injecting malicious code in cookie:
Unlike other parameters, cookies are not supposed to be handled by users.
Outside of session cookies which are (usually) random, cookies may contain data
in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized
information. If we can determine the encoding used, we will attempt to inject
SQL commands. Read more about the technique here:
http://resources.infosecinstitute.com/cookie-based-sql-injection/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/