views:

2814

answers:

8

What automated tools are there?

~~ Mark Harrison ~~

+3  A: 

sqlmap: a SQL injection tool

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

http://sqlmap.sourceforge.net

Mark Harrison
+6  A: 

You can also find a script kiddy app and aim it at your site, they like to use SQL injection.

But rather than doing all that, isn't it simpler and easier to use a library that prevents SQL injection?

John Millikin
I find it very sound to check it anyway, even if the library says to prevent them. How do you know there's no bug (or backdoor) in the library, besides a thorough code review and testing?
Vinko Vrsalovic
@Vinko: because a proper library will simply call the database layer's escape function (mysql_real_escape_string) on all inputs. Such functions are extensively vetted for security.
John Millikin
And how do you know a library is "proper" without checking it first? A certain degree of paranoia is healthy.
Vinko Vrsalovic
@John: It is not guaranteed that an application will even *have* a distinct data layer (i.e., crappily-written legacy apps).
Jon Seigel
+1  A: 

A commercial automated tool is Scan Alert from McAfee. They spider your site daily and report any vulnerabilities - not just SQL injection, but also things like ports that should not be open or insecure versions of software running on the server.

MrZebra
+3  A: 

How about simply avoiding the use of techniques that allow SQL injection attaks in the first place?
If you use Prepared Statements instead of Dynamic SQL, you're golden - SQL injection attacks become impossible, and you get better performance to boot! Never use a user-provided string in dynamic SQL! This is the only way to be certain that your DB is safe from injection attacks. Even automated tools have blind spots - they're created by humans after all...

Useful resource: Oracle Tutorial on Defending against SQL Injection Attacks

Galghamon
A: 

The findbugs tool has some support for detecting potential SQL injection attacks in Java code, using static analysis. Essentially it will look for cases where input parameters are used to construct SQL queries rather than used as prepared statement parameters.

Michael Barker
+4  A: 

There are several plugins for Firefox: HackBar, SQL Injection 1.2

David Robbins
+2  A: 

http://www.securitycompass.com/

I've not really used their firefox plug in, but one of them is meant to find SQL injection problems.

jeff porter
https://addons.mozilla.org/en-US/firefox/addon/7597/ is the link for the Firefox plugin. IMHO, it's the easiest tool I've found for testing SQL Injections.
Axeva
+1  A: 

WebCruiser - Web Vulnerability Scanner, is not only a Web Security Scanning Tool, but also an automatic SQL Injection Tool, an XPath Injection Tool, and a Cross Site Scripting Tool!

http://sec4app.com

Yale