SQL Injection Methodology

An overview of black-box and white-box SQLi methodologies.

Black-Box Testing

1. Mapping
2. Fuzzing
   1. Submit SQL-specific characters (‘ or “), checking for errors/anomalies
   2. Submit Boolean conditions (OR 1=1 and OR 1=2), checking response differences
   3. Submit payloads to trigger time delay differences
   4. Submit OAST payloads to trigger out-of-band network interaction

White-Box Testing

1. Enable web server logging
2. Enable database logging
3. Map the application
   1. Visible functionality
   2. Regex search on code talking to the database
4. Code review