From the course: DevSecOps: Automated Security Testing

Unlock the full course today

Join today to access over 22,500 courses taught by industry experts or purchase this course individually.

SQLi attack automation

SQLi attack automation

From the course: DevSecOps: Automated Security Testing

Start my 1-month free trial

SQLi attack automation

- [Instructor] SQL injection, often abbreviated SQLi, and pronounced as SQLeye, is a common web application vulnerability, that is probably not unknown to you. It occurs when a user is able to add or inject their own SQL into the application. This means an attacker could read the database, or modify data in the database, or even use it to get access to the administration operations on the database. When you see news articles with thousands or millions of records being dumped, SQLi is probably the attack vector behind the scenes. OWASP.org has several examples, but this is probably the easiest to look at, to get an idea for SQL injection. Here we're seeing select everything from the items table, with a specific owner and a certain item name, and it's taking fields in from a form. When all of the items get selected, instead of just the intended one, this is because the single quote closed out with the SQL, and the rest devaluates to a true statement. This could logically be represented…

Contents