Looking for our research? We've moved it to a dedicated page

Out-of-band input channels

Dafydd Stuttard | 11 April 2007 at 21:48 UTC
SQL Injection input

When we think about attacking web applications, it is natural to focus on the core means by which we can interact with a target application - that is, using HTTP requests generated by a web browser or other client software. In many applications, however, there are other channels through which we can introduce our input into the application’s processing. These out-of-band channels represent a significant, and often buggy, area of attack surface.

Here are some examples in applications which I have encountered:

Another example, which I have not encountered and which probably falls into the category of bar-room apocrypha, concerned an application used to process the photographed images of speeding motorists. Reputedly, the application used OCR to read the car’s registration number, and placed this into a SQL query to update its records. Of course, it was vulnerable to SQL injection, but this could only be exploited by printing your attack string onto a registration plate and then driving quickly past a camera. Furthermore, the bug was completely blind, with minimal opportunities for retrieving the results of an arbitrary query. It was mooted that time delays might provide a solution - for example, by triggering very long conditional delays and monitoring the time taken to receive a ticket. However, with only 12 available points on your license, retrieving one bit of data at a time is unlikely to succeed. In this situation, therefore, perhaps the most effective PoC attack string would be:

'; drop table offenders--