SQL Injection

This post is for my cybersecurity students, and anyone else taking a cybersecurity class or studying for a certification exam.

From Jason Dion: “The most common type of code injection is SQL injection. An SQL injection attempts to modify one or more of an SQL query’s four basic functions: select, insert, delete, or update. Two common methods of performing an SQL injection are either using a single apostrophe (‘) or submitting an always true statement like 1=1.  As a penetration tester, you need to be familiar with common ASCII encoded text used in URLs equivalents like %20 (space), %5c (\), and %2F (/) to identify SQL injections and file inclusions.”

I use WordFence as one of the cybersecurity plug-ins on my web blog.  I get daily security reports by email, and here is an example of what a SQL injection attack looks like in the security logs.  This one is chaining together a lot of wild card characters (*) with standard SQL commands like SELECT, and some XML CHR (character equivalents).

You may run across these in a test question, or your real life security logs.  If you want to take a crack at solving the code string, you can share it in the post comments.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.