From: LAROUCHE Francois (Francois.LAROUCHE@consulting-for.accor.com)
Date: Mon Feb 13 2006 - 11:10:07 EST
Hi Johnny,
I think you've got the essential of the differences with the previous answers.
But one was missing: the limit of the size of the GET. (about 2083 for IE if I recall well). Some URL by themselves can be REALLY long without any SQL injection and if you find a UNION injection and it needs let's say 60 values AND you need to encode each character + add comments between words to evade IDS, reverse proxies, or filters then you can go easily beyond the limit of the URL for the given web server. Or when you want to create a new function or stored procedure on the attacked sql server, you need space as well.
Don't laugh. It happened to me a couple of times...
POST has no limit.
Personally, I prefer POST. Especially over HTTPS, it's a nice way to be really stealthy :) And besides, programmers are much more lazy when it comes to check values from hidden or select HTML tags, they think since it's "hidden" it cannot be tampered with.
Cheers!
François Larouche
-----Original Message-----
From: johnny Mnemonic [mailto:security4thefainthearted@hotmail.com]
Sent: Friday, February 10, 2006 7:07 AM
To: pen-test@securityfocus.com
Subject: sql injection: url or form based?
I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but I'm wondering what are the
essentials differences between both methods and when to use one over the
other.
Thanks.
_________________________________________________________________
Get cheap fares online with MSN Travel http://www.msn.com.sg/travel/
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This e-mail, any attachments and the information contained therein ("this message") are confidential and intended solely for the use of the addressee(s). If you have received this message in error please send it back to the sender and delete it. Unauthorized publication, use, dissemination or disclosure of this message, either in whole or in part is strictly prohibited.
**********************************************************************
Ce message électronique et tous les fichiers joints ainsi que les informations contenues dans ce message ( ci après "le message" ), sont confidentiels et destinés exclusivement à l'usage de la personne à laquelle ils sont adressés. Si vous avez reçu ce message par erreur, merci de le renvoyer à son émetteur et de le détruire. Toutes diffusion, publication, totale ou partielle ou divulgation sous quelque forme que se soit non expressément autorisées de ce message, sont interdites.
**********************************************************************
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:31 EDT