Security Workbook on Pentesting
Search…
Security Workbook on Pentesting
About us
References
Bug Bounty
Resources
Web-App Pentest
API Pentest
Android App Pentest
iOS App Pentest
Network Pentest
Source Code Review
Cloud Security
Thick Client Pentesting
Architecture
Testing Approach
Hardcoded Sensitive information
Unquoted Service Paths
DLL Hijacking
SQL Injection
Lack of code obfuscation
Buffer Overflow
Mindmaps
Tools Cheat Sheet
Bug Bounty & Pen-Test Templates
CTF's
Powered By GitBook
SQL Injection
A SQL injection attack consists of the insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands.
According to OWASP
The application uses an SQL server(on the same machine) to maintain the data such as credentials, etc., and if the application has login functionality, that might be vulnerable to SQL injection. An attacker can bypass the authentication and gain access to the application.
Note:
    We have seen this case in 2 tier applications since they use a SQL/SQLite/MSaccess Server/file to maintain data on the same machine.
    It is often observed that 3 tier application uses API and that might be vulnerable to SQL injection.
Previous
DLL Hijacking
Next
Lack of code obfuscation
Last modified 4mo ago
Copy link