Documente Academic
Documente Profesional
Documente Cultură
application’s interaction with back-end databases. An attacker may be able to retrieve arbitrary data
from the application, interfere with its logic, or execute commands on the database server itself.
For example, an application may attempt to defend against some SQL injection attacks by blocking input
containing the apostrophe character. However, if the input is subsequently canonicalized, an attacker
may be able to use double URL encoding to defeat the fi lter. For example:
%2527 When this input is received, the application server performs its normal URL decode, so the input
becomes:
%27 This does not contain an apostrophe, so it is permitted by the application’s fi lters. But when the
application performs a further URL decode, the input is converted into an apostrophe, thereby
bypassing the fi lter. If the application strips the apostrophe instead of blocking it, and then performs
further canonicalization, the following bypass may be effective:
%%2727 It is worth noting that the multiple validation and canonicalization steps in these cases need
not all take place on the server side of the application. For example, in the following input several
characters have been HTML-encoded:
SQL Structured Query Language (SQL) is used to access data in relational databases, such as Oracle, MS-
SQL server and MySQL. The vast majority of today’s web applications employ SQL-based databases as
their back-end data store, and nearly all application functions involve interaction with these data stores
in some way. Relational databases store data in tables, each of which contains a number of rows and
columns. Each column represents a data fi eld, such as “name” or “e-mail address,” and each row
represents an item with values assigned to some or all of these fi elds. SQL uses queries to perform
common tasks such as reading, adding, updating, and deleting data. For example, to retrieve a user’s e-
mail address with a specifi ed name, an application might perform the following query: