From: Kyle Quest (Kyle.Quest@networkengines.com)
Date: Fri Feb 10 2006 - 11:39:48 EST
Don't let anybody confuse you. They are pretty much the same thing.
"Form based" can be considered a generic name
because forms use either the GET or POST
HTTP methods. If GET is used, then your SQL
injection ends up in the URL. If POST is used,
then the form data along with your injected data
is passed in the body of your HTTP request.
The difference is only in the way the injected
data is transported to the victim. Some webapps
accept form data through both GET and POST
requests, which sometimes can be used to evade
network-based detection systems if they are expecting
form data only in get requests. Even if they do
check POST requests there's a possibility that
they don't handle all different encodings of POST
data.
Kyle
-----Original Message-----
From: johnny Mnemonic [mailto:security4thefainthearted@hotmail.com]
Sent: Friday, February 10, 2006 1:07 AM
To: pen-test@securityfocus.com
Subject: sql injection: url or form based?
I see many references to manipulation of SQL backend databases through both
URL based and Forms based SQL injection but I'm wondering what are the
essentials differences between both methods and when to use one over the
other.
Thanks.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT