SQL Injection Methodology

An overview of black-box and white-box SQLi methodologies.

Black-Box Testing

  1. Mapping
  2. Fuzzing
    1. Submit SQL-specific characters (‘ or “), checking for errors/anomalies
    2. Submit Boolean conditions (OR 1=1 and OR 1=2), checking response differences
    3. Submit payloads to trigger time delay differences
    4. Submit OAST payloads to trigger out-of-band network interaction

White-Box Testing

  1. Enable web server logging
  2. Enable database logging
  3. Map the application
    1. Visible functionality
    2. Regex search on code talking to the database
  4. Code review