Black-box testing is a method of software testing that examines the functionality of an
application (e.g. what the software does) without peering into its internal structures or
workings. Black-box testing is used to detect issues in SQL statements and to detect SQL
injection vulnerabilities.
Most commonly, SQL injection vulnerabilities are a result of coding vulnerabilities during the
Implementation/Development phase and will likely require code changes.
Pen testers need to perform this testing during the development phase to find and fix the
SQL injection vulnerability.
What can a pen tester do to detect input sanitization issues?
A.
Send single quotes as the input data to catch instances where the user input is not
sanitized
B.
Send double quotes as the input data to catch instances where the user input is not
sanitized
C.
Send long strings of junk data, just as you would send strings to detect buffer overruns
D.
Use a right square bracket (the “]” character) as the input data to catch instances where
the user input is used as part of a SQL identifier without any input sanitization
D
Square brackets are only to ‘escape’ column names if they have special characters (like spaces) or are themselves an SQL keyword.
How does this help detect sanitation errors? Esp. when enclosed by single quotes, they are just plain text to the server…
Only A has any impact on the SQL statement as a single quote signals the end of a value. The server should error out on that since it’d now get an uneven number of single quotes, and the SQL statement no longer follows syntax. This would then break application processing and inform the hacker that they should be able to abuse that non-sanitized field to inject additional code: “‘; drop table users –”
So some reference on why D would be correct should be provided as the ECSAv8 book certainly doesn’t seem to!
“D” (ECSA module 17 page 615)
I also have the same question. How can we use a right square bracket as the input data to catch instances where the user input is used as part of a SQL identifier without any input sanitization?
Hope this clears the air.
The ECSA v8 guide didn’t really explain technically how this works. I found this document that explains with examples how this works.
Quick Security Reference – SQL Injection.docx – Microsoft
https://www.google.com.sg/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCIQFjABahUKEwi-i66CtrfIAhUMHY4KHWadBDM&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FE%2FE%2F7%2FEE7B9CF4-6A59-4832-8EDE-B018175F4610%2FQuick%2520Security%2520Reference%2520-%2520SQL%2520Injection.docx&usg=AFQjCNHnnJLtSstKr5Ajzx3bQTiysMR8ag&bvm=bv.104819420,d.c2E&cad=rja
D
SQL injection black box penetration testing
In the SQL injection black box testing, it is assumed that no prior knowledge of the infrastructure is to be tested. The testers must first determine the location and extent of the systems before starting their analysis. The steps performed for the black box penetration testing are as follows:
Detecting SQL injection issues: The penetration tester sends a single quote or double quotes to catch instances where the user input is not sanitized.
Detecting SQL modification: The penetration tester sends long string of single quote characters or right square brackets or double quotes. These steps can max out the return values from the REPLACE and QUOTENAME functions and might truncate the command variable that is used to hold the SQL statements.
Detecting input sanitization: The penetration tester uses the right square bracket to catch the instances where the user input is used as a part of a SQL identifier without any input sanitization.
Detecting truncation issue: The penetration tester sends long strings of junk data. This action might throw SQL errors on the page.