Security Basics mailing list archives
RE: Test for SQL Injection
From: "Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>
Date: Thu, 6 Nov 2008 15:24:32 -0600
How about Paros for general SQL injection and Absinthe for Blind SQL injection (both free tools)? WebScarab is also a good general-purpose proxy for web application security testing. The OWASP WebGoat package is a vulnerable web server with a great set of tutorials to learn about how many different web application vulnerabilities are exploited. Check www.owasp.org for preventative techniques. I also recommend SANS 319 taught by Tanya Baccam. Seth Robertson IT Security Forensics Specialist NASA Johnson Space Center -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Rui Pereira (WCG) Sent: Thursday, November 06, 2008 1:00 PM To: 'Michael Condon'; 'David Crandell'; security-basics () securityfocus com Subject: RE: Test for SQL Injection Scrawlr is free. Thank You Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA,CWNA,CPTS/CPTE Principal Consultant WaveFront Consulting Group wavefront1 () shaw ca | www.wavefrontcg.com | 1 604 961 0701 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: November 6, 2008 9:23 AM To: David Crandell; security-basics () securityfocus com Subject: Re: Test for SQL Injection I imagine that HP Scrawlr is a bit pricey. If JavaScript is required to enable the Submit button on an HTML form, is there a way to circumvent this? I do have two layers of server side protection from SQL Injection as well. ----- Original Message ----- From: "David Crandell" <david () onholdwizard com> To: "'Michael Condon'" <admin () singulartechnologysolutions com>; <security-basics () securityfocus com> Sent: Monday, October 27, 2008 10:37 AM Subject: RE: Test for SQL Injection
I have used HP's scrawlr. To prevent attacks, validate input in your forms (server-side, not just with javascript) and make sure any querystring parameters are filtered or validated with server-side code before they are passed to the
database.
Dave Crandell Vice President, Information Systems On Hold Media Group 972-758-1300 david () onholdwizard com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Condon Sent: Sunday, October 26, 2008 1:59 PM To: security-basics () securityfocus com Subject: Test for SQL Injection What are some open source utilities I can use to test a web page for SQL Injection vulnerability (MySQL), and what coding practices can be implemented to prevent the exploit?
No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1770 - Release Date: 11/5/2008 5:36 PM
Current thread:
- Re: Test for SQL Injection Michael Condon (Nov 05)
- <Possible follow-ups>
- Re: Test for SQL Injection Taras P. Ivashchenko (Nov 05)
- Re: Test for SQL Injection Michael Condon (Nov 06)
- RE: Test for SQL Injection David Crandell (Nov 06)
- RE: Test for SQL Injection Rui Pereira (WCG) (Nov 06)
- RE: Test for SQL Injection Robertson, Seth (JSC-IM) (Nov 06)