A3:2021 | SQL Injection Mitigation (9) | Cycubix Docs
Last updated
Last updated
You need to do both, use parametrized queries and validate the input received from the user. On StackOverflow you will see a lot of answers stating that input validation is enough. However it only takes you so far before you know the validation is broken, and you have an SQL injection in your application.
The link provided by WebGoat has expired, for more information we recommend this article: invicti.com
Let’s repeat one of the previous assignments, the developer fixed the possible SQL injection with filtering, can you spot the weakness in this approach?
Read about the lesson goal in SQL Injection Advanced (3).
Solution
We need to get retrieve all data from the user_system_data
table.
Here are some of the hints:
Spaces are rejected, try to find a way around this restriction.
Try to use a comment in the query
WebGoat uses HSQLDB as a database can you use one of them to make skip the filtering?
So we need to obfuscate the querie and bypass filters.
The code is "a';//select//*//from//user_system_data;--". Let's break it down:
/**/
: Comment blocks are used to bypass basic filters that might look for spaces.
To retrieve all data from the user_system_data
table while avoiding detection by basic filtering mechanisms, you can obfuscate the SELECT
statement using comments.
;--
: The semicolon ends the current query, and the --
comments out the rest of the SQL query.