tags:

views:

86

answers:

4
+1  Q: 

SQL Injection Compromised site?

This may sound like a weird question but is there any where I can download a website that is vulnerable to sql injection the url kind not login bypass?

I'm making a vulnerability scanner and I want to learn some SQLi so i can include it in my project.

Thanks, it doesn't need to be fancy. Just enough to practice on.

+7  A: 

OWASP WebGoat is the usual example. Includes SQL injection vulnerabilities.

Tom Hawtin - tackline  2010-09-05 14:36:14
+1 - OWASP should always be the first port of call when it comes to web security.
Oded  2010-09-05 14:37:03
Thats pretty cool but do i have to go through all the lessons or can I just exploit the SQLi and do the others later?
 2010-09-05 14:39:26
In the end I read up on php GET and decided to make my own, not as hard as expect. All though webGoat looks really fun to play with.
 2010-09-05 21:52:29
+1  A: 

No, you cannot download their site to test for injection vulnerabilities. You need to download their whole DB and configs to do what you are saying. If you want to benevolently go checking the security of various sites, you have to ask them about their system and model it on your own. OWASP works on systems not recently updated with patches, like the comment of tackline-its a first port.

Vass  2010-09-05 14:47:51
I didn't expect to download a real hosted site. I had expect that someone at some point had made a pack of the files needed to locally host a vulnerable site to use as your own security playground.
 2010-09-05 14:53:04
very very few would pack it and send it to you, especially if you want to 'test' their vulnerabilities.
Vass  2010-09-05 14:58:02
No. You don't understand. I mean a pack of files that were designed to be broken with built in vulnerabilitys. Just looks at WebGoat, that's exactly what I mean. Even if webgoat works on unpatched systems I want to learn sql injection in a legal enviorment.
 2010-09-05 15:10:36
A: 

OWAPS's WebGoat is an application that is built to be vulnerable to attack, it is a simulation of real world vulnerabilities. The Whitebox is a collection of real world vulnerabilities, it has 2 web applications that where abandoned because the applications where so insecure. It also has a set of challenges there are vulnerable code snips taken from real world applications. This project has real world sql injection as well more serious vulnerabilities.

Try scanning the vulnerable apps with Wapiti (open source) or Acunetix ($) or NTOSpider($$$). Then try using the applications, create blog posts ect, and then scan it again.

Also check out Damn Vulnerable Linux and Google Jarlsburg.

Rook  2010-09-05 18:02:53
A: 

Developing a vulnerability scanner, but have no working knowledge of HTTP Get Variables.... something doesn't add up.

 2010-09-05 18:21:06

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security