errorbased SQL Injection being scanned against HTTP GET parameters.
SQL injection continues to be a favourite target of attackers. In the news we see regular reports of data dumps containing credit card information, usernames, passwords and other information; more often than not these dumps are the result of SQL injection attacks.
Successful attacks provide an attacker access to the whatever data the database holds and even operating system access in the most damaging attacks.
Detect SQL injection in HTTP GET based urls
- Easily Test a URL for parameters that are vulnerable to SQL Injection
- Identify poorly coded web applications that do not sanitise input correctly
- Test effectiveness of web application firewalls or Intrusion Detection (IDS/IPS)
- Access to 27 Vulnerability Scanners and OSINT Tools
- Trusted Open Source Tools
Why use this SQL Injection Test?
The benefits of this test are that you have easy access to a fast and comprehensive SQL injection against a single URL. This scan does not scour your website and find every possible injection point; however, by having such a quick and accurate test on hand, you can easily select a handful of HTTP GET based URL's from your target web site and test them immediately.
If you find the HTTP GET based URL's are vulnerable to SQL injection, there is a good chance other parts of the site are also vulnerable. You need a comprehensive web application assessment to ensure your website is safe from this damaging attack.
How do I perform a SQL injection test?
1. Enter the URL you wish to target. Note that this test only examines HTTP GET based parameters; so the URL should contain those parameters following the web domain. See example below:
This example url will have the two parameter’s id and page tested for sql injection.
2. Enter the email address for delivery of the results.
3. Hit the start button to have the tests performed on the system.
Technical Details of the scanner
The scan uses sqlmap to test for HTTP GET parameters of a url. The scan type is default, with only the database version being extracted in the event of a successful injection point is found.
About the SQLmap project
SQL Injection is a common attack vector in dynamic web applications. It allows an attacker to gain access to the database or database functions through poor coding methodology. We have documented an introduction to sql injection or alternatively a good SQL injection reference is over at the owasp site.
The SQLmap tool is a powerful automated sql injection testing tool. In recent reviews of web application assessment tools sqlmap has consistently scored highly in accuracy of the detection capability.
Recently there have been a number of high profile attacks that have been exploited by SQL Injection, these have resulted in the loss of millions of customer records and hundreds of thousands of login / password combinations.