News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Infosec Institute:
SQL Injection through HTTP Headers
April 04, 2012 @ 10:17:08

While not specific to PHP, security is something that all developers need to think about in their applications. To that end, the Infosec Institute has published this guide to helping you prevent SQL injection attacks that could come in via the HTTP headers of requests to your site.

During vulnerability assessment or penetration testing, identifying the input vectors of the target application is a primordial step. Sometimes, when dealing with Web application testing, verification routines related to SQL injection flaws discovery are restricted to the GET and POST variables as the unique inputs vectors ever. What about other HTTP header parameters? Aren't they potential input vectors for SQL injection attacks? How can one test all these HTTP parameters and which vulnerability scanners to use in order to avoid leaving vulnerabilities undiscovered in parts of the application?

They start by describing the different kinds of headers that the attacks could come in on - GET, POST, cookies and the other HTTP headers. According to some results, the HTTP headers option is the least protected in most common applications. He includes some good examples of headers that might contain malicious data such as:

  • X-Forwarded-For
  • User-agent
  • Referer

Techniques are also included showing you tools and methods to help test your own applications including some in-browser tools and external applications (like Sqlmap, Nessus, WebInspect, SkipFish and Wapiti) with some average scores from running them on various coverage scores.

0 comments voice your opinion now!
sql injection http headers security prevention scanner


blog comments powered by Disqus

Similar Posts

Vinu Thomas' Blog: Modifying your MySQL databases to be UTF-8 compliant

PHPClasses.org: PHP security exploit with GIF images

Community News: Zend Framework Security Upgrade (Zend_XmlRpc XXE Issue)

Ian Selby's Blog: Create a REST API with PHP

Richard Lord's Blog: PHP Password Security


Community Events





Don't see your event here?
Let us know!


interview laravel community framework list code deployment voicesoftheelephpant release bugfix language series tips development podcast introduction api threedevsandamaybe symfony zendserver

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework