59
Parameter Tampering SQL Example
| #4594 a simple
login request. uid=aaa & passw=bbb |
|
| #4602 a probe.
uid= & passw= |
|
| #4605 a fuller
probe. Having received the error page of the above, the attacker wants to
find out exactly how his/her input is processed. Hence uid=aaabbb &
passw=ccc |
|
| #4607 the full
attack. uid= or 1=1 or username= & passw= |
|
| Note the SQL
fragment or 1=1 or username= |
|
| Note Referer
exists, session is maintained, attack is application specific. |
|
| Note that
this is a POST request web servers simply dont log the parameters!!! |
|