SQL Injection Tests

SQL Detection

• Append -- to the query param:
  • If the response does not change, the query param might be used in an SQL statement.

SQL Error Detection

• Append ', " or ` to the query param:
  • If the response lacks data or contains an SQL Error message, the query param is being used in an SQL statement.

Filter Detection

• Pre-append -- to the query param:
  • If the response does not change, filtering may be removing - characters.
• Append 0 to the numeric query param:
  • If the response does not change, filtering may be removing 0 characters.
• Pre-append punctuation characters to the query param:
  • If the response does not change, filtering may be removing punctuation characters.
• Append non-numeric characters to the query param:
  • If the response does not change, the query param is being sanitized using a String to Integer conversion function.

Numeric Detection

• Pre-append 0 to the numeric query param:
  • If the response does not change, the query param is being treated as an Integer.
• Pre-append - to the numeric query param:
  • If the response does change, the the query param is being treated as an Integer.
• Pre-append + to the numeric query param:
  • If the response does not change, the query param is being treated as an Integer.
• Divide the numeric query param by 2 and pre-append 2*:
  • If the response does not change, the query param is being treated as an Integer.
• Subtract 1 from the numeric query param and pre-append 1+:
  • If the response does not change, the query param is being treated as an Integer.

String Detection

• Wrap the query param in the substr function, with the pos argument set to 0, and the len argument set to the length of the query param plus 1:
  • If the response does not change, the query param is being treated as a String.
• If the query param consists of all lower-case characters, wrap the query param in the lower function:
  • If the response does not change, the query param is being treated as a String.