Vulnerability assessors and code auditors are often faced with situations where a large volume of code needs to be audited quickly to enable a deployment. In these situations large web applications need to be reviewed in a fast and efficient manner. Although a code level analysis is often the most effective way to analyse the security of an application it is a time consuming process and not all practical.
SQL injection attacks bear many of the same fundamental hallmarks as XSS attacks. At its core and SQL injection abuses the web application to introduce unintended functionality. SQL injection aims to escape out of the confines of a developer crafted SQL statement to alter the SQL. This tutorial/exercise demonstrates using SQL injection to bypass authentication. It also suggests several ways to mitigate the threat of SQL injection or prevent it altogether.