Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQL injections and connections to a DB

From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Fri, 15 Jul 2005 16:10:26 -0400
Nikto will not check for SQL Injection vulnerabilities in your code. I'd suggest a manual pen test, for starters put a single quote in any field -- don't forget hidden fields! If an error is returned, you are subject to SQL injection. That will just scratch the surface, however. Some languages, ColdFusion for example, do a great job of escaping single quotes in most cases, so varchar/char fields are generally not SQL injectable unless the developer goes about making them injectable by using PreserveSingleQuotes(). So check up on your language and how it handles these cases.
There are scanners out there, such as WebInspect by SPIDynamics (imho, the best available today, even though I still avoid them all), which will do this for you in addition to checking for XSS and known server-level vulnerabilities. However, its my belief that these types of scanners will only find the low hanging fruit and may not find all vulnerabilities. Unfortunately, tools like WebInspect may lead people into a false sense of security. Having been burned by authorization flaws missed by tools like WebInspect in the past I avoid them now and test manually.
In fact, I'm doing a web app pen test right now... which means its time to stop emailing and start working. ;-) 

-dhs

Dean H. Saxe, CEH
dean () fullfrontalnerdity com
"To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." 
    -- Theodore Roosevelt


On Jul 13, 2005, at 8:09 AM, Felipe Balbi wrote:


I think nikto will serve your purposes.
It's a perl script used to test web servers, very
effective.

Felipe Balbi

--- Mike Tupker <mtupker () gmail com> wrote:



We have a IIS web server setup on our DMZ with a
connection to our DB
server which is running MS SQL server 7. Does anyone
know of a program
that will check the code in a web page for
vulnerabilities such as SQL
injections, overflows, or anything else that I might
not be aware of?
Basically, I would like to know if there is any way
for someone to use
the server on the DMZ to get to the DB server and
cause damage.
Previous By Date Next
Previous By Thread Next

Current thread: