Other Endpoints

Stored Procedure

These are a set of precompiled SQL statements that can be executed as a single unit when called by an application to perform specific tasks. Stored Procedures can accept parameters too but if those parameters are not properly sanitized, then SQLi has a scope.

For example:

CREATE PROCEDURE sp_getUserData
    @user NVARCHAR(50)
AS
BEGIN
    DECLARE @sql NVARCHAR(4000)
    SET @sql = 'SELECT * FROM data WHERE user = ''' + @user + ''''
    EXEC(@sql)
END

Here user is the parameter being used in the SELECT SQL query. But it's not being sanitized for malicious input as far as we can see right now.

XML and JSON Injection

Consider XML and JSON data used by applications. If that data is used anywhere in SQL queries and if it's not sanitized, then chances are that SQLi can be carried out to conduct malicious activities. If the application directly parses the XML data without filtering, then SQL injection is possible.

PreviousHTTP Header Injection NextTools for Automation

Last updated 26 days ago