Spread the love

What is SQL Injection in Testing?

Spread the love

SQL Injection
SQL Injection

This post talks about sql injection,sql injection test,sql injection prevention mechanism,sql injection attack example,sql injection types.

SQL Injection

Injection attacks persists on many technologies.This happens when no strict separation between computer instruction and user input.
Typical structure of a program is:

|input|   __________   |output|
——–| internal logic |—–

So a program expects an input for system to run and there if proper restriction is not put then attacker can interrupt the system.
injection refers to an instruction to the existing query.

The injection technology requires three components:
1. Technology Identification:
2. Transmission Process
3. Input that are prone to attack

Technology Identification:

This is  process where attacker gain knowledge about the system by web language or hardware processing. Web language can be identified by seeing the webpage but more details can be obtained by viewing
1. Error page
2. Javascript error details
3. view page source
Every technology if loosely coded can be cracked by a smart hacker. The tools we use are:
1. nessus
2. nmap
3. THC- amap

Transmission Process:

How we use to send data to server.Remember our college days!! where we use to develop web based projects….exactly get and post.
get send the user input to server through url
post sends the user input through SSL that is through secure mechanism

READ  Field Level Validation An Important Aspect of Manual Testing

so if get is used people can easily manipulate. Now hackers are more smart they can aso manipulate
1. Hidden html forms
2. HTTP headers
3. cookie

READ  Field Level Validation An Important Aspect of Manual Testing

even the backend asynchronous javascript and xml(AJAX) can be manipulated.few days back orkut was supporting these codes.
tools are
1. webscarab
2. Burp

Input that are prone to attach checkout the error page:

say there is a login page with id and password as input.The mechanism is user gives an input as id and password and clicks on submit button
The form send the data in a secure manner

 form name=form1,method=post()

now server catches the information  by

string username=req.getparameter("user_name")
string password=req.getparameter("password")

the query might be

select id from user_table where user_name='username' and password='password'

the structure of sql query will be

srting query="select if from user_table where"+"username='"+ username+" 'and"+
"password='"+password+"'and resultset rs=stmt.executequery(query)
ind id=-1 

if the coder has not excluded these following vernability points in the backend in SQL

1.’ or 1=1 —
2. ‘) or 1=1–

can trap the SQL
the select id from user_table where username=’ ‘ or 1=1– ‘and ‘ password =password
in SQL after — everything is ignored …basicallt it tells sql parser that everything right to this is a comment and sql engine ignores that …
so query became
select id from user_table where username=’ ‘ or 1=1
select statement will return either zero length string or where 1=1 true
so 1=1 is always true so it will give all the username
The important point here even if the ‘ or 1=1 fails to check the application it might give error message—-
1.Many ids are matching with the same criteria on XYZ table
2.Error in qery execution on table EMP_table
3.Even sometimes it reports the procedures on error message with table.
This is requirement of a hacker….so he will succeed.

READ  What is Muda Theory?
READ  What is User Acceptance Testing(UAT)?

Most of the web forms have no mechanisms in place to block user input. So this is a scope for test engineer.
Just remember two things..
1. It will not give a tabulated output
2. This is a mechanism by inserting query inside of another query


Spread the love
Animesh Chatterjeehttps://techtravelhub.com/
I am the founder and owner of the blog - TechTravelHub.com, always love to share knowledge on test automation,tools,techniques and tips.I am a passionate coder of Java and VBScript.I also publish articles on Travel ideas and great honeymoon destinations.Apart from these, I am a gear-head,love to drive across India. I have shared lots of articles here on How to travel several parts of India.Customization of cars aka car modification is my another hobby.Get in touch with me on ani01104@gamil.com

Related Articles

Learn What Primary Tools For Test Automation

Primary Tools For Test Automation According to the Gartner report Magic Quadrant...



Please enter your comment!
Please enter your name here

Recent Posts

Super Keyword in Java Simplified

Super Keyword Super Keyword in Java Simplified: Java defines a special...

Learn What Primary Tools For Test Automation

Primary Tools For Test Automation According to the Gartner report...


Spread the love