Thoughts on website ideas, PHP and other tech topics, plus going car-free
SQL injection walk-through
Categories: Ideas, Outline

Stack Overflow is teeming with questions that ask “is the following database code safe from SQL injection?”. This prompts me to think it would be interesting to develop a system that walks users through some examples of SQL injection, in a browser-illustrated way.

The user could be challenged to find a set of managed vulnerabilities using whatever tools they have at their disposal. Hints or answers could be made available to users where a user can’t find the injection.

  • A simple GET injection in a query string
  • A POST injection that requires a browser plugin or external tool
  • A SELECT injection that returns more data than the user is entitled to
  • A SELECT injection that returns nothing from the target table and instead returns entries from a secret table
  • An UPDATE injection that overwrites a plaintext password field
  • An UPDATE injection that overwrites an MD5 password field
  • An UPDATE injection that overwrites an MD5 and username-salted password field
  • An illustration of query execution where only single statements are supported, and its impact on injection opportunities

There are two approaches to how this might work: scanning strings and manually ‘detecting’ injections, or – riskier – running all queries verbatim inside a transaction, with limited permissions on just one database.

This idea could be broadened out to all sorts of things. How about JS exploits, such as cookie stealing and cross-site scripting?

2 Comments to “SQL injection walk-through”

  1. Tomas says:

    Here’s one for XSS by Google

Leave a Reply