Re: sql injection: url or form based?

From: Brian Rectanus (brectanu@gmail.com)
Date: Sat Feb 11 2006 - 00:38:28 EST


One big difference is that if you can accomplish the same injection
attack via GET or POST, then POST would be prefered (or not preferred,
depending on what side you are taking here, heh). The chances of the
POSTed data being logged is low, and that would lower the chances of
detecting the attack. Also, any URL based checks (ala rewrite, etc)
may be avoided with a POST.

-B

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT