Re: good database testing tools to guard against SQL injection for Microsoft, Oracle?

[Mike <secfocus () mikesbytes com>]

At 5/10/2004 09:54 AM, Earl.Perkins () metagroup com wrote:

> does anyone have recommendations for good database testing tools
> to spot and correct potential exploitation opportunities for SQL
> injection attacks in Microsoft and Oracle database environments?
> thanks.

Nessus (http://www.nessus.org) has worked well for me and it's free.

Basically, it scans the web server for scripts that accept input and tests 
them for SQL injection problems.  The output in the report looks like this:

    The following URLs seem to be vulnerable to various SQL injection
    techniques :

    /new/script.asp?ITEM='UNION'&    =
    /new/script.asp?ITEM='UNION'&    =
    /new/script.asp?ITEM='&    =
    /new/script.asp?ITEM='%22&    =
    /new/script.asp?ITEM=9%2c+9%2c+9&    =
    /new/script.asp?ITEM='bad_bad_value&    =
    /new/script.asp?ITEM=bad_bad_value'&    =
    /new/script.asp?ITEM='+OR+'&    =
    /new/script.asp?ITEM='+OR+'&    =
    /new/script.asp?ITEM='WHERE&    =
    /new/script.asp?ITEM=%3B&    =
    /new/script.asp?ITEM='OR&    =

Of course, there are plenty of commercial tools like AppScan 
(http://www.sanctuminc.com/), WebInspect (http://www.spidynamics.com), 
ScanDo (http://www.kavado.com/ProductsScando.htm) and numerous others that 
claim to check for SQL injection vulnerabilities as well but I don't have 
enough experience with them to recommend them.