[Full-disclosure] Cookie based SQL Injection
adam at infosecinstitute.com
Tue Mar 6 20:28:51 GMT 2012
Injecting malicious code in cookie:
Unlike other parameters, cookies are not supposed to be handled by users. Outside of session cookies which are (usually) random, cookies may contain data in clear or encoded in hexadecimal, base64, hashes (MD5, SHA1), serialized information. If we can determine the encoding used, we will attempt to inject SQL commands. Read more about the technique here:
Full-Disclosure is hosted and sponsored by Secunia.