SQL Injection and H...
 
Notifications
Clear all

SQL Injection and HTTP Status Codes

3 Posts
3 Users
0 Likes
4,071 Views
(@littledave)
Posts: 8
Active Member
 

Hi Markus,

The success doesn't depend on the response code - there is also no direct connection between injections and the response codes. The most common is 200, but does not imply/confirm that the injection worked - it could just have equally failed.

Another common response code would be a 302, which means 'temporary redirect. example if you had an admin-page which lets you add/remove/delete addresses, it might be common practice to refresh the list of addresses after an address has been deleted (i.e. redirect the admin page to itself, causing a page-reload). This is normally done with a 302 status. If someone injected SQL while deleting a record, the script would most likely still redirect with the same 302.

The main ones to look for are 200, 301 and 302. Although it is equally possible to inject SQL and receive a 500, or even a 404 response.

lg

Dave

 
Posted : 26/09/2010 10:23 pm
(@dave-hull)
Posts: 15
Active Member
 

My experience is the same as littledave's, there's no strong correlation between response codes and the success of failure of SQL injection attacks. You're likely going to have to dig deeper. You may need to pull in the developer(s) and have them review the application and the information you have in your logs to determine which attacks may have been successful.

I worked for a bank holding company for a couple years doing code review and web application penetration testing. In some instances, attempting SQL injection would result in a 500 error, typically this was an indicator that the attack was working and that the application was throwing errors due to the input I was providing. In such cases, it was often necessary to use blind SQL injection attacks that relied on timing in order to determine if they were actually working or not.

In other cases, the server would respond with a 200, and still be vulnerable to SQL injection, returning the results of the query I'd injected.

It's unfortunate, but the only way to determine for sure is going to be labor intensive. Good luck.

 
Posted : 28/09/2010 8:43 pm
zikmik
(@zikmik)
Posts: 28
Eminent Member
 

The easiest way is to pull SQL-i from log and execute them through browser as guest .
There you can see if SQL-i was successful…

 
Posted : 12/10/2010 2:41 pm
Share: