search
Personal BlogTwitterGitHubContact

SQL Injection

hashtag
Detecting SQL Injection

  • Submitting the single quote character ' and looking for errors or other anomalies.

  • Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.

  • Submitting Boolean conditions such as OR 1=1 and OR 1=2, and looking for differences in the application's responses.

  • Submitting payloads designed to trigger time delays when executed within a SQL query, and looking for differences in the time taken to respond.

  • Submitting OASTarrow-up-right payloads designed to trigger an out-of-band network interaction when executed within a SQL query, and monitoring for any resulting interactions.

LogoWhat is SQL Injection? Tutorial & Examples | Web Security AcademyWebSecAcademychevron-right

hashtag
References When Hunting SQLi

hashtag
PortSwigger SQL Injection Cheat Sheet

LogoSQL injection cheat sheet | Web Security AcademyWebSecAcademychevron-right

hashtag
NetSPI SQL Injection Wiki

LogoNetSPI SQL Injection Wikinetspichevron-right
The SQL Injection Knowledge Basewww.websec.cachevron-right
PreviousServer-Side Template InjectionNextJSON Web Tokens (JWT)

Last updated