Free tool helps find SQL injection vulnerabilities in Web applications

By Michelle Davidson, Editor 20 Feb 2006 | SearchSoftwareQuality.com

Software quality news and advice Digg This!     StumbleUpon     Del.icio.us

A new tool was released last week that helps penetration testers find SQL injection vulnerabilities.

Written by Francois Larouche, an independent application security professional, SQL Power Injector is a graphical application created in .Net 1.1 that helps penetration testers inject SQL commands on a Web page.

For now it is SQL Server-, Oracle- and MySQL-compliant, but it is possible to use it with any existing database management system (DBMS) when using the inline injection (Normal mode).

Inline SQL injection is a significant part of SQL Power Injector, but the tool's main strength is in the multithreaded automation of the injection. Not only is it possible to automate tedious and time-consuming queries, but you can also modify the query to get only what you want.

The automation can be done two ways: comparing the expected result or by time delay. "The first way is generally compared against an error or difference between positive condition with a negative one, and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application," Larouche said in his announcement of the tool.

Larouche said his goal was to make it as easy as possible to find and exploit a SQL injection vulnerability without having to use a browser. That is why, he said, an integrated browser displays the results of the injection parameterized in a way that any related standard SQL error will be displayed without the rest of the page.

"Another important part of this application is its power to get all the parameters you need to test the SQL injection, either by GET or POST method," Larouche said. With that, one won't need to use several applications or a proxy to intercept the data. Everything is automated, he said.

Software security resources SQL injection: Developers fight back  Malicious code injection: It's not just for SQL anymore  Can you prevent SQL injection attacks with stored procedures?

Larouche warned that SQL Power Injector won't find SQL injection vulnerabilities for you or find the right syntax if one found. "Its main strength is to provide a way to find them more easily, and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique," he said.

He also said he didn't intend to make the tool a database-pumping application. "There are plenty of good applications for that. In any case, many pumped data are not relevant, and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want," he said.

Larouche acknowledged that there are other tools out there that do similar things, but he said SQL Power Injector differs in that it offers the following:

• Fine-tuning parameters SQL injection
• Time delay feature
• Multithread feature
• Response results in a customized browser

SQL Power Injector is available for free at http://www.sqlpowerinjector.com/download.htm. Note that it is Version 1 of the application, and Larouche is aware it has a few bugs. However, the tool is a work in progress and Larouche will constantly be updating it.

Tags: Software security testing and techniques,  Software testing tools and frameworks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Software testing tools and frameworks Performance testing tools - Commercial, less expensive and free Software Testing Ezines New IBM Rational, Tivoli integrated tools pair development with IT STPCon: Do reality checks on performance test products, panelists advise Demo: Using WebGoat, a free software testing tool Getting answers about OpenSTA script problems Defining core software regression tests Selecting the best tool for stress and load testing Required prerequisites for performance testing Surgient 7's self-provisioning promises software testers quick IT resource access

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary JUnit  (SearchSoftwareQuality.com) NUnit  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary