469,945 Members | 2,167 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,945 developers. It's quick & easy.

How can I create an innocuous SQL injection attempt to test apps and evaluate the result programmatically?

There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest a
starting point for a "safe" injection test and an evaluation of the result
using C# / ASP.NET.

Thanks,
-KF
Mar 16 '07 #1
7 2427
Some examples of SQL injection can be found here:
http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

Anyway, if you follow the guidelines here
http://msdn2.microsoft.com/en-us/library/ms998271.aspx (like use the
SQLParameter object to pass the parameters), your program should not be
vulnerable to common SQL injection.

<ke*****@nospam.nospam撰寫於郵件新聞:%2*********** *****@TK2MSFTNGP06.phx.gbl...
There are assorted "SQL Injection vulnerability assessment tools" out
there. They scan your site and send your report. They also take your
money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the
success or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest
a starting point for a "safe" injection test and an evaluation of the
result using C# / ASP.NET.

Thanks,
-KF

Mar 16 '07 #2
Thank you for your links. I understand the nature of SQL injection and how
to safeguard against it using the common methods: string checking, type
checking, white listing, blacklisting, various mechisms associated with the
database and database interactions.

What I'm looking for now is a safe way to scan sites for vulnerabilities,
just as those expensive tools do. This would help people who know very
little, or who are non-technicians: they can at least recognize that they
have a problem. I need to know how to perform a non-destructive check, and
to evaluate the success or failure of my non-destructive check. My purpose
here is to write some code and maybe even an open-source tool that people
could use to check sites for SQL injection vulnerabilities.

-KF

"Lau Lei Cheong" <le****@yehoo.com.hkwrote in message
news:Ok**************@TK2MSFTNGP03.phx.gbl...
Some examples of SQL injection can be found here:
http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

Anyway, if you follow the guidelines here
http://msdn2.microsoft.com/en-us/library/ms998271.aspx (like use the
SQLParameter object to pass the parameters), your program should not be
vulnerable to common SQL injection.

<ke*****@nospam.nospam>
撰寫於郵件新聞:%2****************@TK2MSFTNGP06.phx .gbl...
>There are assorted "SQL Injection vulnerability assessment tools" out
there. They scan your site and send your report. They also take your
money.

We don't have the money so I was wondering if I could replicate the
tool's behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the
success or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest
a starting point for a "safe" injection test and an evaluation of the
result using C# / ASP.NET.

Thanks,
-KF


Mar 16 '07 #3
the easiest test is to enter a single ' into each form field. if you get
a sql syntax error on postback you have an open door.

-- bruce (sqlwork.com)

ke*****@nospam.nospam wrote:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest a
starting point for a "safe" injection test and an evaluation of the result
using C# / ASP.NET.

Thanks,
-KF

Mar 16 '07 #4
"bruce barker" <no****@nospam.comwrote in message
news:Ol****************@TK2MSFTNGP05.phx.gbl...
the easiest test is to enter a single ' into each form field. if you get a
sql syntax error on postback you have an open door.
Indeed. In fact, of all the SQL Injection testing sites I've seen, this is
pretty much the first thing they try...
Mar 16 '07 #5
Thanks, guys.

In .NET/C#, do you know approximately how you would test for the return of a
SQL syntax error? Does it return some kind of error code that could be
captured and evaluated by the app, or is another approach going to be
required?

Does anyone know of other tests that SQL Injection test suites commonly do
besides what Bruce and Mark suggested?

Thanks, this is helpful.

-KF

"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:uZ****************@TK2MSFTNGP02.phx.gbl...
"bruce barker" <no****@nospam.comwrote in message
news:Ol****************@TK2MSFTNGP05.phx.gbl...
>the easiest test is to enter a single ' into each form field. if you get
a sql syntax error on postback you have an open door.

Indeed. In fact, of all the SQL Injection testing sites I've seen, this is
pretty much the first thing they try...

Mar 16 '07 #6
<ke*****@nospam.nospamwrote in message
news:ON****************@TK2MSFTNGP03.phx.gbl...
In .NET/C#, do you know approximately how you would test for the return of
a SQL syntax error?
try
{
// ADO.NET code
}
catch (SqlException ex)
{
// handle the error
}
Mar 16 '07 #7

Thank you Mark. A super-helpful first step.

-KF
"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:%2******************@TK2MSFTNGP05.phx.gbl...
<ke*****@nospam.nospamwrote in message
news:ON****************@TK2MSFTNGP03.phx.gbl...
>In .NET/C#, do you know approximately how you would test for the return
of a SQL syntax error?

try
{
// ADO.NET code
}
catch (SqlException ex)
{
// handle the error
}

Mar 16 '07 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

7 posts views Thread by Rolf Kemper | last post: by
6 posts views Thread by Jan Roland Eriksson | last post: by
2 posts views Thread by freddy | last post: by
8 posts views Thread by stirrell | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.