SQL Injection Attacks and Defense - 2009

Testing for SQL Injection • Chapter 2 81
When you look at a Web application you can perceive where the potential vulnerabilities
might be. This happens because you can understand the application which is something that
an automated tool is not able to do.
A human can easily spot a part of a Web application which is not fully implemented,
maybe just reading a “Beta release – we are still testing” banner in the page. It seems apparent
that you may have better chances of finding interesting vulnerabilities there than testing
mature code.
Additionally, your experience tells you what part of the code might have been overlooked
by the programmers. For example, there are scenarios where most of the input fields may be
validated if they require direct entry from the user. However, those which are a result of
another process, dynamically written to the page (where the user can manipulate them) and
then reused in the SQL statements, tend to be less validated as they are supposed to come
from a trusted source.
On the other hand, automated tools are systematic and thorough. They don’t understand
the Web application logic, but they can test very quickly a lot of potential injection points
which is something that a human cannot do thoroughly and consistently.
Tools for Automatically Finding SQL Injection
In this section, I will show you some commercial and free tools designed to find SQL
injection vulnerabilities. Tools exclusively focused on exploitation will not be presented in
this chapter.
HP WebInspect
WebInspect is a commercial tool by Hewlett-Packard. Although you can use it as an SQL
injection discovery tool, the real purpose of this tool is to conduct a full assessment of the
security of a Web site. This tool requires no technical knowledge and runs a full scan, testing
for misconfigurations and vulnerabilities at the application server and Web application layers.
Figure 2.17 shows the tool in action.