Using XSS to Launch a SQL Injection Attack

Tuesday, June 03, 2008

Several weeks ago I stumbled on a client’s e-commerce site that had (what appeared to be) a non-vulnerable SQL Injection pathway on a search form. I used the standard calls to determine if it was vulnerable, determined (or so I thought) that it wasn’t and moved on to test for XSS.

While testing for XSS with the de-facto

alert('xss')
script that we all know and love, turns out the vulnerable field was in fact prone to SQL Injection (I just had to mod my testing methods a little bit).

Throughout the course of running the concept of utilizing XSS to perform SQL Injection past colleagues and other forums, it quickly became apparent that the biggest use would be in targeting sites with known persistent XSS vectors, to amass a distributed SQL Injection attack towards a vulnerable 3rd party system.

So, why is this important? Well, there are many SQL Injection automated tools (many listed in my Pen Testing Tools section) that can perform brutal SQL Injection attacks, but can be traceable by source IP address. You could run through a series of proxies, but that too is eventually traceable.

This means that a potentially insignificant XSS on your website/portal could be used as a launching point via Javascript to perform an unwitting SQL Injection attack against a third party…all the more reason to close even those tiny XSS flaws in your site

- Donwalrus

Possibly Related Articles:
7170
Vulnerabilities
XSS SQl Injection HTTP Security
Post Rating I Like this!