Penetration Testing mailing list archives
Re: SQL injections and connections to a DB
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Fri, 15 Jul 2005 16:10:26 -0400
Nikto will not check for SQL Injection vulnerabilities in your code. I'd suggest a manual pen test, for starters put a single quote in any field -- don't forget hidden fields! If an error is returned, you are subject to SQL injection. That will just scratch the surface, however. Some languages, ColdFusion for example, do a great job of escaping single quotes in most cases, so varchar/char fields are generally not SQL injectable unless the developer goes about making them injectable by using PreserveSingleQuotes(). So check up on your language and how it handles these cases.
There are scanners out there, such as WebInspect by SPIDynamics (imho, the best available today, even though I still avoid them all), which will do this for you in addition to checking for XSS and known server-level vulnerabilities. However, its my belief that these types of scanners will only find the low hanging fruit and may not find all vulnerabilities. Unfortunately, tools like WebInspect may lead people into a false sense of security. Having been burned by authorization flaws missed by tools like WebInspect in the past I avoid them now and test manually.
In fact, I'm doing a web app pen test right now... which means its time to stop emailing and start working. ;-)
-dhs Dean H. Saxe, CEH dean () fullfrontalnerdity com"To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public."
-- Theodore Roosevelt On Jul 13, 2005, at 8:09 AM, Felipe Balbi wrote:
I think nikto will serve your purposes. It's a perl script used to test web servers, very effective. Felipe Balbi --- Mike Tupker <mtupker () gmail com> wrote:We have a IIS web server setup on our DMZ with a connection to our DB server which is running MS SQL server 7. Does anyone know of a program that will check the code in a web page for vulnerabilities such as SQL injections, overflows, or anything else that I might not be aware of? Basically, I would like to know if there is any way for someone to use the server on the DMZ to get to the DB server and cause damage.
Current thread:
- SQL injections and connections to a DB Mike Tupker (Jul 12)
- Re: SQL injections and connections to a DB Tibor Csonka (Jul 13)
- Re: SQL injections and connections to a DB Felipe Balbi (Jul 13)
- Re: SQL injections and connections to a DB Dean H. Saxe (Jul 15)