Web Software Architecture and Engineering – Life on the Bleeding Edge

QA is working on hacking our system running the full gamut of security concerns (without costing much money). We’re not looking to hiring an outside firm, just yet.
And one of the things we are having a hard time finding is a tool that test for SQL Injection. Most of what we’ve found is overly complex or simply outdated.
Does anyone know of any tool – simple and easy to use, that can run through a site attempting all sorts of sql injection attacks?

Advertisements

Comments on: "Need Help : SQL Injection Tools" (9)

  1. @Tony,

    Like I said, we are looking for a tool my QA folks can use. Pete’s service is what I mentioned in my post as being out of scope for now.

  2. HP’s Scrawlr app is free and pretty easy to use. It’s not as good as a real penetration test by a security professional, but it will catch a fair amount of stuff.

    https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php

    BTW… this captcha friggin blows. Too complicated.
    There are also a number of free tools from Foundstone that can run various security tests.
    http://www.foundstone.com/us/resources-free-tools.asp

  3. @JC,

    I believe we eval’ed the HP tool, and found it to support ASP, and no ColdFusion.

  4. Scrawlr worked fine for coldfusion when I used it. It’s platform agnostic, just uses common injection techniques.

    If you’re using MSSQL, CF isn’t very susceptible to SQL injection (because there’s only one escape character and it’s handled by CF, so only unquoted numerics are dangerous). But there’s no reason to not use CFQueryparams to protect yourself properly.

    You could also poke around on some of the shadier locations on the internet and find some of the actual tools used by real hackers, which aren’t always the same as the more legitimate security tools. I’d strongly suggest doing any of that from within a virtual machine though.

  5. When publishing an application to salesForce they require your application to be tested by PortSwigger.net
    http://portswigger.net/suite/
    Which I believe handles SQL injection

  6. Pragnesh Vaghela said:

    We have started using Paros Proxy at work http://www.parosproxy.org/

    Features added in Paros v3.0.2: http://www.parosproxy.org/functions.shtml

  7. WebCruiser – Web Vulnerability Scanner
    WebCruiser – Web Vulnerability Scanner, an effective and powerful web penetration testing tool that will aid you in auditing your website! It has a Vulnerability Scanner and a series of security tools. It can support scanning website as well as POC (Proof of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, an XPath injection tool, and a Cross Site Scripting tool!

  8. Download WebCruiser – Web Vulnerability Scanner
    http://sec4app.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: