Stack Overflow is teeming with questions that ask “is the following database code safe from SQL injection?”. This prompts me to think it would be interesting to develop a system that walks users through some examples of SQL injection, in a browser-illustrated way.
The user could be challenged to find a set of managed vulnerabilities using whatever tools they have at their disposal. Hints or answers could be made available to users where a user can’t find the injection.
- A simple GET injection in a query string
- A POST injection that requires a browser plugin or external tool
- A SELECT injection that returns more data than the user is entitled to
- A SELECT injection that returns nothing from the target table and instead returns entries from a secret table
- An UPDATE injection that overwrites a plaintext password field
- An UPDATE injection that overwrites an MD5 password field
- An UPDATE injection that overwrites an MD5 and username-salted password field
- An illustration of query execution where only single statements are supported, and its impact on injection opportunities
There are two approaches to how this might work: scanning strings and manually ‘detecting’ injections, or – riskier – running all queries verbatim inside a transaction, with limited permissions on just one database.
This idea could be broadened out to all sorts of things. How about JS exploits, such as cookie stealing and cross-site scripting?