Identify Data Entries for SQL Injection Attacks
Where SQL injection vulnerabilities could be found
First and foremost, the tester will need to identify data entries before attempting an attack. Despite the fact that SQL injection is among today's most popular security issues, all fields are not necessary vulnerable. For this reason, you must be aware of all possible ways malicious input could be submitted to an application in order to find one where input validation is insufficient.
Parameters in URL
The most frequently attacked parameters are without a doubt those in the URL. These parameters, also named GET parameters, are often used to specify a page id or a search string. Here is an example.
Search page with search string as GET parameter.
For diverse reasons, web developers sometimes create custom URL for their web applications. When URL rewriting is used, the new URL does not always reflect how the script is called. It often ends up that GET parameters are not clearly distinguished. Here is what it could look like.
User calls the page.
URL rewriting interprets the request as the following.
Because URL length is limited to about 2,000 characters, some attacks against GET parameters may be blocked. However the main drawback comes when URL rewriting is used. In most cases, each section (value enclosed between two slashes) is limited to 256 characters.
The Web is filled with forms for users to interact with the system. Search boxes, registration forms, newsletter subscription, login forms, etc. Those are especially present in applications where information exchange between the user and the database is important. Generally speaking, POST parameters are used to submit form data to a webpage but it is also possible that form values are sent as GET parameters.
This sort of data entry is not limited to Web-based applications. As mentioned in the introduction article "What Is SQL Injection", software can also be vulnerable to this security issue.
When the browser sends a request to a web server, it creates an HTTP request containing information such as HTTP headers. The most popular are User-Agent, Referer, X-Forwarded-For and Accept-Charset. Information contained in headers is frequently used to log details about the visitor in the database. If the webpage creates a dynamic query with those values, it could be vulnerable to SQL injection.
Cookies are also part of HTTP header information. All cookie information can be found in Cookie headers sent when a request is made to a web server. This is another common way for the tester to try injecting SQL segments.
Additional Data Entries
Most ways to submit input have been covered, but you should always be looking for new possibilities to inject data. For example, it could be as simple as modifying an entry in a configuration file for a software. Be creative and think out of the box!