Many kinds of functionality oblige a web application to read from or write to a file system on the basis of parameters supplied within user requests. If these operations are carried out in an unsafe manner, an attacker can submit crafted input which causes the application to access files that the application designer did not … Read more
Many applications contain a facility for users to submit messages via the application; for example, to report a problem to support personnel or provide feed-back about the web site. This facility is usually implemented by interfacing with a mail (or SMTP) server. Typically, user-supplied input will be inserted into the SMTP conversation that the application server … Read more
The XML Path Language (or XPath) is an interpreted language used for navigating around XML documents, and for retrieving data from within them. In most cases, an XPath expression represents a sequence of steps that is required to navigate from one node of a document to another. Where web applications store data within XML documents, … Read more
The Simple Object Access Protocol (SOAP) is a message-based communications technology that uses the XML format to encapsulate data. It can be used to share information and transmit messages between systems, even if these run on different operating systems and architectures. Its primary use is in web services, and in the context of a browser-accessed … Read more
Many scripting languages support the use of include files. This facility enables developers to place reusable code components into individual files, and to include these within function-specific code files as and when they are needed. The code within the included file is interpreted just as if it had been inserted at the location of the … Read more
The core logic of most web applications is written in interpreted scripting languages like PHP, VBScript, and Perl. In addition to the possibilities for injecting into languages used by other back-end components, a key area of vulnerability concerns injection into the core application code itself. Exposure to this type of attack arises from two main … Read more
In some situations, an application that is vulnerable to SQL injection may implement various input filters that prevent you from exploiting the flaw without restrictions. For example, the application may remove or sanitize certain characters, or may block common SQL keywords. Filters of this kind are often vulnerable to bypasses, and there are numerous tricks … Read more
If you are attacking an MS-SQL database, then there are alternative ways available of discovering the names of database tables and columns, and of extracting useful data. MS-SQL generates extremely verbose error messages, which can be exploited in various ways. Enumerating Table and Column Names Recall the login function described earlier, which performs the following SQL … Read more
In order to extract useful data from the database, you normally need to know the names of the tables and columns containing the data you wish to access. The main enterprise DBMS’s contain a rich amount of database metadata that you can query to discover the names of every table and column within the database. … Read more
The UNION operator is used in SQL to combine the results of two or more SELECT statements into a single result set. When a web application contains a SQL injection vulnerability that occurs in a SELECT statement, you can often employ the UNION operator to perform a second, entirely separate query, and combine its results with … Read more