
SQL Piggybacking
¨Attacker may can extend an application’s SQL statement to
extract or update information that the attacker
is not authorized to access
¨“How I Hacked Packetstorm” http://www.wiretrip.net/rfp/p/doc.asp?id=42
¨Attacker will explore how the Web application interacts with the back-end database by finding a user-supplied input string that will be part of a database query