Exploit SQL Injection Goal Determine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior. Assumptions one or more endpoints send untrusted input to a database layer query construction may not be safely parameterized everywhere secondary features are often weaker than primary flows Prerequisites endpoints with user-controlled input ability to replay and compare requests safe test environment and authorization to probe Recon steps Map all user-controlled inputs: query params, forms, JSON, cookies, headers. Look for filtering, sorting, search, exports, and admin-only features. Note error behavior, timing, and content changes. Exploit / test steps Send simple syntax probes to detect parser influence. Test boolean and timing differences where appropriate. Compare success/failure behavior across endpoints. Probe less obvious inputs like headers, hidden params, or mobile/API routes. Confirm whether the issue is read-only, auth bypass, or broader query control. Validation clues SQL errors or stack traces content differences under boolean conditions measurable timing differences auth or data access behavior changes unexpectedly Mitigation parameterize queries consistently avoid raw string concatenation constrain DB privileges review query-building helpers and ORMs for unsafe escape hatches monitor suspicious query patterns safely Logging / detection repetitive syntax-like probes abnormal query timing patterns errors around query parsing or type coercion Related notes sql-injection http-messages business-logic-vulnerabilities packet-analysis References Testing / Lab: PortSwigger SQL injection topic — https://portswigger.net/web-security/sql-injection Foundational: OWASP Top 10 Injection — https://owasp.org/Top10/2021/A03_2021-Injection/ Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/ ← PreviousExploit IDORNext →Inspect File Upload Surface Explore nearby notes Security PlaybooksBreak JWT ValidationIdentify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksInspect File Upload SurfaceDetermine whether upload features create unsafe execution, storage, parser, or exposure paths.