SQL Injection in a Cookie

Viewing 3 reply threads
  • Author
    • #4835

      What are some tools that can be used to exploit a SQL injection found in a cookie?  I have used Paros and Core Impact to find them, but I am looking for something to exploit it and prove my findings.  

      Thanks in advance!

    • #30416

      I am not sure of which tools would do this automatically.  I am curious as well. 

      However, you should be able to do this manually.  Suppose you have a cookie with a set of values, like


        The application in theory would check the these fields.  If you enter an injection vector through JS-injection or just tampering with request, you should be able to reach the database.  The application would have to read the cookie though.

      javascript:void(document.cookie='val1=' or 1 = 1--')
    • #30417

      Once the cookie data is getting used in the backend DB, it may be exploitable. You should look at something like SQLmap. It will allow you to form custom injections (required here for the cookie).

      In addition to the common input sources, the tool can also test cookies.

      Although, confirm the vulnerability first with Ketchups manual injections.

      Hope it helps

    • #30418

      Thanks you two, this does help.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?