How can I test for SQL injection vulnerabilities on a site with input fields?
What methods are available for testing SQL injection vulnerabilities?
There are a number of ways to test for SQL Injection. The tests break down into three different methodologies:
Blind Injection: MySQL example:
http://localhost/test.php?id=sleep(30)
If this SQL statement is interpreted by the database then it will take 30 seconds for the page to load.
Error Messages:
http://localhost/test.php?id='"
If error reporting is enabled and this request is vulnerable to sql injection then the following error will be produced:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"' at line 5
Tautology Based Injection:
http://localhost/test.php?username=' or 1=1 /*&password=1
In this case supplying a Tautology, or a statement that is always true provides a predictable result. In this case the predictable result would be logging in the attacker with the first user in the database, which is commonly the administrator. There are tools that automate the use of the methods above to detect SQL Injection in a web application. There are free and open source tools such as Wapiti and Skipfish that do this. Sitewatch provides a free service that is a lot better than these open source tools. I can say that because I am a developer for Sitewatch.