Sqlia classification v1, till 2010

776 views

Published on

This classification matters the evolution of SQL injection attacks up to 2010. Here is no refernce to new attacks on WebSQl etc. It ist meant as attachment to my B.Sc. thesis from 2010.
The thesis is presented to the
Department of Electrical Engineering and Information Sciences
of the Ruhr-University of Bochum
Chair of Network and Data Security
of the Ruhr-University of Bochum,
Horst-Görtz Institute,
Prof. Jörg Schwenk

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
776
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Sqlia classification v1, till 2010

  1. 1. SQLIA Classification Classification Methods Techniques/ parameters Implementation Identifying injectable parameters Extracting Data see Input type of attacks Intent Adding or Modifying Data Performing Denial of Service Evading detection Bypassing Authentication Executing remote commands Performing privilege escalation Injection through user input Malicious URL: GET- Method strings in Web Input filed(s): POST- Method forms Input Source Injection through cookies Modified cookie fields containing SQLIA Injection through server Headers are manipulated to contain SQLIA variables Second-order injection Frequency-based Primary Application Frequency-based Secondary Application Secondary Support Application Cascaded Submission Application Piggy-Backed Queries Tautologies Classic SQLIA Alternate Encodings Illegal/ Logically Incorrect Queries UNION SQLIAInput type of attacks, Stored Procedures SQLIA technical aspect Out-Of-Band SQLIA Out-Of-Band Channeling Conditional Responses Classic Inference Conditional Errors SQLIA Inference Double Blind SQLIA(Time- Blind SQLIA or delays/ Benchmark attacks) Timing Deep Blind SQLIA ( SQLIA Multiple statements SQLIA) DBMS specific SQLIA DB Fingerprinting DB Mapping Compounded SQLIA Fast-Fluxing SQLIATable 1: Classification of the SQL Injection Web attacking vectorK.Deltchev, Krassen.Deltchev@rub.de

×