In fact, the HTTP_X_FORWARDED_FORenvironment variables are not sufficiently filtered before using the SQL query, which also leads to the injection of arbitrary SQL code through this field during the SQL query. After that, preg_matchverify whether there is at least one legal IP address through the method. Obviously, the ip address HTTP头X_FORWARDED_FORgets the return value by. Sanitize() The method controls the correctness of the login variables. $req = mysql_query("SELECT user,password FROM admins WHERE user='".sanitize($_POST)."' AND password='".md5($_POST)."' AND ip_adr='".ip_adr()."'") Let's look at an example of a form submission vulnerability. It is considered to be a standard for the client to connect to the web server through HTTP proxy or load balancer to obtain the source ip address. X-Forwarded-ForIs a field of the HTTP header. There are also other HTTP header information related to the application. Later we will see an example of using cookies for SQL injection. When we store the session ID in the database, we should first test HTTP cookies as the first potential HTTP variable.
User-Agent: Mozilla/5.0 (Windows U Windows NT 5.1 en-US The HTTP header fields are part of the request and response information in the Hypertext Transfer Protocol (HTTP), and they define the operating parameters of the HTTP transmission.įor example: Requested HTTP GET / HTTP/1.1 Potential HTTP header SQL injection HTTP header field Also, when the vulnerability scanner we use does not support these features, we should consider manually testing these parameters. Therefore, these two vectors should be considered in the test case. In fact, HTTP Headers and Cookies are not taken seriously. Some automated testing tools may cause unsatisfactory results when processing HTTP headers as a SQL injection input vector. The scores for GET and POST are relatively reasonable. These ratios fully illustrate the capabilities of these scanners in scanning input vectors, not just simple explanations.
In addition, 70% of these scanners also incorrectly check the HTTP Cookies vulnerability. This chart clearly shows that 75% of web application scanners cannot find vulnerabilities related to HTTP Headers parameters. HTTP Headers: Headers used by HTTP submission applications HTTP Cookie parameters: Input parameters are sent via HTTP cookies
HTTP body parameters (POST): Input parameters are sent via HTTP body HTTP query character parameters (GET): input parameters are sent via URL This standard, mainly used to test URLs in commercial and open source software, has been released by security researcher Shay Chen in 2011.įor the case where the scanner for testing web applications supports input parameter coverage, we have summarized it in the chart below. What about other HTTP header parameters? Are they not potential SQL injection attack input vectors? How do we test these HTTP parameters and what kind of vulnerability scanners are used to find vulnerabilities in these applications? Coverage of input parameters in web application scannerīy comparing 60 commercial and open source black box web application vulnerability scanners, an article was published: "Scanning Corps: Scanning Accuracy Evaluation & Function Comparison". Sometimes, when testing web applications, test cases for SQL injection vulnerabilities are usually limited to special input vector GET and POST variables. In vulnerability assessment and penetration testing, determining the input vector of the target application is the first step.