SQL Injection Vulnerabilities

0 Comment



Exploiting SQL injection vulnerabilities enables an attacker to persistently foist dynamic and storage page content generation that would include malicious code in the attacked site. The visitors to the site may thus be redirected to malicious sites. The SQL injection attack vectors are represented by data passed to the vulnerable web application from the user and which is processed by supporting database. Practically, the most common SQL injection attack vectors arise from the data transmitted through HTTP POST and HTTP GET. Other attack vectors are HTTP User-Agent, HTTP cookie data, and Referer header values. The exploitation of some SQL injection vulnerabilities can be effected through the authentication of unprivileged user accounts, all of which depends on where the application fails in the sanitization of the input. This means that the sites that readily and easily allow the users to create new accounts hold additional risks. The automatic detection of the vulnerabilities of the SQL injections depends on the heuristics of the behavior of the target application in responding to the specially crafted queries. The techniques involved in the detection heuristics are classified into three categories. The Boolean-based blind SQL injection which includes the supply of multiple valid statements that bears evaluation to true or false in the affected area at the request of HTTP. Through the comparison of the response page between both situations, the success of the injection can be inferred by the tool.