How can I automatically test my site for SQL injection attacks, using either a script or program?

I've searched and found a good discussion here on SO, but it is several years old.

What programs are there, or is there a simple script I can run, to find the SQL injection holes in the URLs in my entire site?

Preferably, I'd like to run a script (PHP) or program that crawls my site, bouncing from link to link, attempting to find holes, and upon discovery, stores that URL so I have a list of URLs I need to fix.

Does this exist?

Answers


Yes and no. First i'll preface this by saying I'm not just posting links but have done security audits professionally using all of these tools and not as a developer on a project but an external resource. Note that generally sqlserver injection is different than mysql as well.

Free tools like paros proxy [crawls] (previously mentioned),

burpsuite (previously mentioned [crawls] but active attacks requires pro): http://portswigger.net/burp/

sqlninja (sqlserver only) http://sqlninja.sourceforge.net/

google rat proxy: [crawls] http://code.google.com/p/ratproxy/

websecurify: [crawls] http://www.websecurify.com/

wapiti: [crawls but takes work to set up - can be used specifically for sqli with spider] http://wapiti.sourceforge.net/

nikto: [crawls but not for sqli...]

are great! They can help you identify problems but take a great deal of human analysis due to large amounts of false positives. Commercial tools are available like:

NTOSpider (one of the best [crawls!]) : http://www.ntobjectives.com/software/ntospider

are very expensive but talking to a rep will get you a free copy for a period of time (which I have done with them). They make sorting through results faster by providing validation links in the reports but you STILL need a trained eye and analysis as I have found false positives.

Ultimately the correct answer to this question is: You can use tools to help you identify if there are security (sqli) vulnerabilities but only a trained eye using the tools can validate them. Further only a proper code review and analysis can identify vulnerabilities that an app (even a very good one) may miss.

Tools can help but you need human time and analysis to do this correctly. Proxies and request manglers are the real tools for hitting the app with injection and are done with careful intention of trained testers or those with a curious mind.


I have two favorite tools (both free):

  1. sqlmap - You give it a URL, and it automatically scans for vulnerabilities. If it gets in, it gives you a SQL prompt.
  2. Paros Proxy - This one takes a little longer to set up. You have to configure your browser to use a proxy and then use your site (log in, navigate to other pages, etc.). Once you're done, it will analyze its cache of all the requests you made and show a report of the potential vulnerabilities it found.

The Burp Scanner works extremely well for finding SQL injection as well as a variety of other things. You have to shell out $300 for the scanner though, but that is fairly cheap when looking at other scanners in the market.

To elaborate, what you are looking for is a web application vulnerability scanner. These will crawl your site and send attack vectors into various parameters. Of all the scanners that I have used, Burp has given me the best results and has great performance. If you are looking for a free alternative you can try Grendel Scan It has not been updated in a while but still works pretty well. Especially for a free tool.

Here is a list of some the other vulnerability scanners that are out there. I am sure you will find something to meet your needs.


There are programs to detect SQL injections, for example:


There are enormous tools present in market for crawling all pages and detecting SQL injections. You should read this discussion it's never late How can I prevent SQL injection in PHP? and Testing for security vulnerabilities in web applications: Best practices?.

I would suggest Wapiti for finding web application vulnerabilities. Acunetix is over priced.

See more:


What I test in my sites :

If you have log-in form for example try to enter:

username field : anytext or 1=1'

Password field : anypassword

if you didn't cover sql injection in your code , you can login by that .

Thanks


Need Your Help

Java Reflection getDeclaredMethod() with Class Types

java reflection

I'm trying to understand Java reflecton and am encountering difficulties when working with non-Integer setter methods.

Random over ThreadLocalRandom

java multithreading random

Instances of java.util.Random are threadsafe. However, the concurrent