[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Cookie based SQL Injection

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Cookie based SQL Injection
From: "Adam Behnke" <adam@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Mar 2012 14:28:51 -0600

All data sent by the browser to a Web application, if used in a SQL query, can 
be manipulated in order to inject SQL code: GET and POST parameters, cookies 
and other HTTP headers. Some of these values can be found in the environment 
variables. The GET and POST parameters are typically entered into HTML forms, 
they can contain hidden fields, i.e. information that is in form but not shown. 
GET parameters are contained in the URL and POST parameters are passed as HTTP 
content. Nowadays, and with the growth of Web 2.0 technologies, the GET and 
POST requests can also be generated by JavaScript.

Injecting malicious code in cookie:

Unlike other parameters, cookies are not supposed to be handled by users. 
Outside of session cookies which are (usually) random, cookies may contain data 
in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized 
information. If we can determine the encoding used, we will attempt to inject 
SQL commands. Read more about the technique here:

http://resources.infosecinstitute.com/cookie-based-sql-injection/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Cookie based SQL Injection
  - From: Valdis . Kletnieks

Prev by Date: Re: [Full-disclosure] Full disclosure is arrest of Sabu
Next by Date: Re: [Full-disclosure] Cookie based SQL Injection
Previous by thread: Re: [Full-disclosure] Full disclosure is arrest of Sabu
Next by thread: Re: [Full-disclosure] Cookie based SQL Injection
Index(es):
- Date
- Thread