- Easily Test a URL for parameters that are vulnerable to SQL Injection.
- Identify poorly coded web applications that do not sanitise input and are vulnerable to SQL Injection.
- Test the effectiveness of a web application firewall or Intrusion Detection System (IDS / IPS).
SQL Injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.
Why use this SQL Injection Test?
The benefits of this test are that you have easy access to a fast and comprehensive SQL injection against a single URL. This scan does not scour your website and find every possible injection point; however by having such as quick and accurate test on hand. You are able to easily select a handful of HTTP GET based url's from your target web site and test them immediately.
If you find that the HTTP GET based url's are vulnerable to SQL injection, there is a good chance that other parts of the site are also vulnerable; and you are in need of a comprehensive web application assessment to ensure your website is safe from this damaging attack.
How do I perform a SQL injection test?
1. Enter the URL you wish to target. Note that this test only examines HTTP GET based parameters; so the URL should contain those parameters following the web domain. See example below:
This example url will have the two parameter’s id and page tested for sql injection.
2. Enter the email address for delivery of the results.
3. Hit the start button to have the tests performed on the system.
Sample SQLmap Results
Technical Details of the scanner
The scan uses sqlmap to test for HTTP GET parameters of a url. The scan type is default, with only the database version being extracted in the event of a successful injection point is found.
About the SQLmap project
SQL Injection is a common attack vector in dynamic web applications. It allows an attacker to gain access to the database or database functions through poor coding methodology. We have documented an introduction to sql injection or alternatively a good SQL injection reference is over at the owasp site.
The SQLmap tool is a powerful automated sql injection testing tool. In recent reviews of web application assessment tools sqlmap has consistently scored highly in accuracy of the detection capability.
Recently there have been a number of high profile attacks that have been exploited by SQL Injection, these have resulted in the loss of millions of customer records and hundreds of thousands of login / password combinations.