What automated tools are there?
~~ Mark Harrison ~~
+3
A:
sqlmap: a SQL injection tool
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Mark Harrison
2008-10-10 07:41:30
+6
A:
- http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners
- http://www.darknet.org.uk/2008/09/bsql-hacker-automated-sql-injection-framework/
You can also find a script kiddy app and aim it at your site, they like to use SQL injection.
But rather than doing all that, isn't it simpler and easier to use a library that prevents SQL injection?
John Millikin
2008-10-10 07:42:51
I find it very sound to check it anyway, even if the library says to prevent them. How do you know there's no bug (or backdoor) in the library, besides a thorough code review and testing?
Vinko Vrsalovic
2008-10-10 08:30:30
@Vinko: because a proper library will simply call the database layer's escape function (mysql_real_escape_string) on all inputs. Such functions are extensively vetted for security.
John Millikin
2008-10-10 08:41:45
And how do you know a library is "proper" without checking it first? A certain degree of paranoia is healthy.
Vinko Vrsalovic
2008-10-10 08:46:59
@John: It is not guaranteed that an application will even *have* a distinct data layer (i.e., crappily-written legacy apps).
Jon Seigel
2010-03-03 15:37:06
+1
A:
A commercial automated tool is Scan Alert from McAfee. They spider your site daily and report any vulnerabilities - not just SQL injection, but also things like ports that should not be open or insecure versions of software running on the server.
MrZebra
2008-10-10 07:49:03
+3
A:
How about simply avoiding the use of techniques that allow SQL injection attaks in the first place?
If you use Prepared Statements instead of Dynamic SQL, you're golden - SQL injection attacks become impossible, and you get better performance to boot! Never use a user-provided string in dynamic SQL! This is the only way to be certain that your DB is safe from injection attacks. Even automated tools have blind spots - they're created by humans after all...
Useful resource: Oracle Tutorial on Defending against SQL Injection Attacks
Galghamon
2008-10-10 08:25:02
A:
The findbugs tool has some support for detecting potential SQL injection attacks in Java code, using static analysis. Essentially it will look for cases where input parameters are used to construct SQL queries rather than used as prepared statement parameters.
Michael Barker
2008-10-10 08:40:12
+4
A:
There are several plugins for Firefox: HackBar, SQL Injection 1.2
David Robbins
2008-10-10 10:53:47
+2
A:
http://www.securitycompass.com/
I've not really used their firefox plug in, but one of them is meant to find SQL injection problems.
jeff porter
2008-10-10 11:01:25
https://addons.mozilla.org/en-US/firefox/addon/7597/ is the link for the Firefox plugin. IMHO, it's the easiest tool I've found for testing SQL Injections.
Axeva
2010-09-23 14:52:34
+1
A:
WebCruiser - Web Vulnerability Scanner, is not only a Web Security Scanning Tool, but also an automatic SQL Injection Tool, an XPath Injection Tool, and a Cross Site Scripting Tool!
Yale
2010-08-12 04:24:21