Security Basics mailing list archives

RE: Test for SQL Injection

From: "Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>
Date: Thu, 6 Nov 2008 15:24:32 -0600

How about Paros for general SQL injection and Absinthe for Blind SQL
injection (both free tools)?  WebScarab is also a good general-purpose
proxy for web application security testing.  The OWASP WebGoat package
is a vulnerable web server with a great set of tutorials to learn about
how many different web application vulnerabilities are exploited.

Check www.owasp.org for preventative techniques.

I also recommend SANS 319 taught by Tanya Baccam.


Seth Robertson
IT Security Forensics Specialist
NASA Johnson Space Center
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Rui Pereira (WCG)
Sent: Thursday, November 06, 2008 1:00 PM
To: 'Michael Condon'; 'David Crandell';
security-basics () securityfocus com
Subject: RE: Test for SQL Injection

Scrawlr is free.

Thank You
 
Rui Pereira,B.Sc.(Hons),CIPS ISP,CISSP,CISA,CWNA,CPTS/CPTE Principal
Consultant WaveFront Consulting Group
 
wavefront1 () shaw ca | www.wavefrontcg.com | 1 604 961 0701
 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Condon
Sent: November 6, 2008 9:23 AM
To: David Crandell; security-basics () securityfocus com
Subject: Re: Test for SQL Injection

I imagine that HP Scrawlr is a bit pricey.
If JavaScript is required to enable the Submit button on an HTML form,
is there a way to circumvent this?
I do have two layers of server side protection from SQL Injection as
well.
----- Original Message -----
From: "David Crandell" <david () onholdwizard com>
To: "'Michael Condon'" <admin () singulartechnologysolutions com>;
<security-basics () securityfocus com>
Sent: Monday, October 27, 2008 10:37 AM
Subject: RE: Test for SQL Injection

I have used HP's scrawlr.

To prevent attacks, validate input in your forms (server-side, not 
just with
javascript) and make sure any querystring parameters are filtered or 
validated with server-side code before they are passed to the

database.


Dave Crandell
Vice President, Information Systems
On Hold Media Group
972-758-1300
david () onholdwizard com

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com]
On
Behalf Of Michael Condon
Sent: Sunday, October 26, 2008 1:59 PM
To: security-basics () securityfocus com
Subject: Test for SQL Injection

What are some open source utilities I can use to test a web page for 
SQL Injection vulnerability (MySQL), and what coding practices can be 
implemented to prevent the exploit?


No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.175 / Virus Database: 270.9.0/1770 - Release Date:
11/5/2008
5:36 PM

Current thread:

Re: Test for SQL Injection Michael Condon (Nov 05)
- <Possible follow-ups>
- Re: Test for SQL Injection Taras P. Ivashchenko (Nov 05)
- Re: Test for SQL Injection Michael Condon (Nov 06)
  - RE: Test for SQL Injection David Crandell (Nov 06)
  - RE: Test for SQL Injection Rui Pereira (WCG) (Nov 06)
    - RE: Test for SQL Injection Robertson, Seth (JSC-IM) (Nov 06)