From the course: DevSecOps: Automated Security Testing
Unlock the full course today
Join today to access over 22,500 courses taught by industry experts or purchase this course individually.
SQLi attack automation
From the course: DevSecOps: Automated Security Testing
SQLi attack automation
- [Instructor] SQL injection, often abbreviated SQLi, and pronounced as SQLeye, is a common web application vulnerability, that is probably not unknown to you. It occurs when a user is able to add or inject their own SQL into the application. This means an attacker could read the database, or modify data in the database, or even use it to get access to the administration operations on the database. When you see news articles with thousands or millions of records being dumped, SQLi is probably the attack vector behind the scenes. OWASP.org has several examples, but this is probably the easiest to look at, to get an idea for SQL injection. Here we're seeing select everything from the items table, with a specific owner and a certain item name, and it's taking fields in from a form. When all of the items get selected, instead of just the intended one, this is because the single quote closed out with the SQL, and the rest devaluates to a true statement. This could logically be represented…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.