SQL, Code Injection, and Scanners

Code injection is when unvalidated data is added (injected) into a vulnerable program and executed. Injection can occur in SQL, NoSQL, LDAP, XPath, NoSQL, XML parsers, and even through SMTP headers.

The XSS vulnerabilities discussed in the previous chapter are also examples of code injection. When an unsanitized HTML tag with malicious code in its attribute is added to a web application's database via a comment thread or discussion board submission, that code is injected into the application and executed when other users view that same comment or discussion.

For the purposes of this chapter though, we're going to focus on detecting and preventing code injection attacks related to databases—SQL and NoSQL, respectively. We'll cover how to use CLI tools to test a form input for SQLi vulnerabilities, how to use similar techniques for NoSQLi, scanning for both SQLi and other injection attacks, and best practices for avoiding damage to your target's database.

In this chapter, we will cover the following topics:

• SQLi and other code injection attacks
• Testing for SQLi with sqlmap
• Trawling for bugs
• Scanning for SQLi with Arachni
• NoSQL injection
• An end-to-end example of SQLi