1

I was poking around with the "reset password" page of a website (security testing and bug hunting is allowed on it.)

When you put in your email address, it uses HTML character reference encoding to encode your address. For example:

Email: example@example.com >> example@example.com

Is it possible to inject SQL commands even through it's been encoded like this?

Thanks in advance

Gumbo
  • 2,003
  • 1
  • 13
  • 17
Mico
  • 377
  • 3
  • 16

1 Answers1

1

SQL injection works by skipping out from the "value" part of SQL syntax into the "command" part.

String values (as in your example) are surrounded by quotes - to break out you would need to include a similar quote in your value (like ' WHERE 1; DROP TABLE ... or whatever the actual syntax would be). HTML encoding doesn't allow quotes, so that won't work.

I did wonder a bit about unquoted fields - e.g. if it's expecting a number (from a dropdown) but you give it a command (like 5 WHERE 1; DROP TABLE ... or whatever). However, I'm not aware of any single-word SQL statements - i.e. you can't do anything without something to separate the tokens (e.g. a space or punctuation ( etc.). So even if you were looking at an unquoted field like a number then you could screw up the statement and produce an error, but not actually execute anything.

cloudfeet
  • 2,528
  • 17
  • 22
  • Input values are not only used as literals. They may also be used as identifiers, syntax components like keywords, operators, etc. – Gumbo May 06 '15 at 05:13
  • The question was about value-escaping. If you're using user-submitted input as SQL keywords, then you've gone way past "insufficient escaping" into "wtf, are you getting paid per vulnerability?" ;) – cloudfeet May 06 '15 at 11:54