A1 - INJECTION
Introduction
Injections can occurs on multiple platforms like LDAP, SQL and SMTP header. For this vulnerability, we will be focusing on SQL injections. Poor coding and error handling on the input field can cause this vulnerability to appear. This is one example on how to showcase if the vulnerability is in the website. With such vulnerability in the system, it can result data loss, data corruption, lack of accountability, denial of access or lead to complete host takeover
Tools needed:
-
BurpSuite
-
SQLinjectme plugin from Firefox
Videos
Automated SQL testing with BurpSuite
True Statement
SQL testing using SQLinjectme
Other possible methods:
Some tips of solving the vulnerability is to:
-
Use preg_match to remove the special characters like (",",!,@,#,') or strings like (1=1)
-
Use mysqli_real_escape_string() command on all input field
