473,320 Members | 1,900 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

How can I create an innocuous SQL injection attempt to test apps and evaluate the result programmatically?

There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest a
starting point for a "safe" injection test and an evaluation of the result
using C# / ASP.NET.

Thanks,
-KF
Mar 16 '07 #1
7 2544
Some examples of SQL injection can be found here:
http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

Anyway, if you follow the guidelines here
http://msdn2.microsoft.com/en-us/library/ms998271.aspx (like use the
SQLParameter object to pass the parameters), your program should not be
vulnerable to common SQL injection.

<ke*****@nospam.nospam¼¶¼g©ó¶l¥ó·s»D:%2*********** *****@TK2MSFTNGP06.phx.gbl...
There are assorted "SQL Injection vulnerability assessment tools" out
there. They scan your site and send your report. They also take your
money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the
success or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest
a starting point for a "safe" injection test and an evaluation of the
result using C# / ASP.NET.

Thanks,
-KF

Mar 16 '07 #2
Thank you for your links. I understand the nature of SQL injection and how
to safeguard against it using the common methods: string checking, type
checking, white listing, blacklisting, various mechisms associated with the
database and database interactions.

What I'm looking for now is a safe way to scan sites for vulnerabilities,
just as those expensive tools do. This would help people who know very
little, or who are non-technicians: they can at least recognize that they
have a problem. I need to know how to perform a non-destructive check, and
to evaluate the success or failure of my non-destructive check. My purpose
here is to write some code and maybe even an open-source tool that people
could use to check sites for SQL injection vulnerabilities.

-KF

"Lau Lei Cheong" <le****@yehoo.com.hkwrote in message
news:Ok**************@TK2MSFTNGP03.phx.gbl...
Some examples of SQL injection can be found here:
http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

Anyway, if you follow the guidelines here
http://msdn2.microsoft.com/en-us/library/ms998271.aspx (like use the
SQLParameter object to pass the parameters), your program should not be
vulnerable to common SQL injection.

<ke*****@nospam.nospam>
¼¶¼g©ó¶l¥ó·s»D:%2****************@TK2MSFTNGP06.phx .gbl...
>There are assorted "SQL Injection vulnerability assessment tools" out
there. They scan your site and send your report. They also take your
money.

We don't have the money so I was wondering if I could replicate the
tool's behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the
success or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest
a starting point for a "safe" injection test and an evaluation of the
result using C# / ASP.NET.

Thanks,
-KF


Mar 16 '07 #3
the easiest test is to enter a single ' into each form field. if you get
a sql syntax error on postback you have an open door.

-- bruce (sqlwork.com)

ke*****@nospam.nospam wrote:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest a
starting point for a "safe" injection test and an evaluation of the result
using C# / ASP.NET.

Thanks,
-KF

Mar 16 '07 #4
"bruce barker" <no****@nospam.comwrote in message
news:Ol****************@TK2MSFTNGP05.phx.gbl...
the easiest test is to enter a single ' into each form field. if you get a
sql syntax error on postback you have an open door.
Indeed. In fact, of all the SQL Injection testing sites I've seen, this is
pretty much the first thing they try...
Mar 16 '07 #5
Thanks, guys.

In .NET/C#, do you know approximately how you would test for the return of a
SQL syntax error? Does it return some kind of error code that could be
captured and evaluated by the app, or is another approach going to be
required?

Does anyone know of other tests that SQL Injection test suites commonly do
besides what Bruce and Mark suggested?

Thanks, this is helpful.

-KF

"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:uZ****************@TK2MSFTNGP02.phx.gbl...
"bruce barker" <no****@nospam.comwrote in message
news:Ol****************@TK2MSFTNGP05.phx.gbl...
>the easiest test is to enter a single ' into each form field. if you get
a sql syntax error on postback you have an open door.

Indeed. In fact, of all the SQL Injection testing sites I've seen, this is
pretty much the first thing they try...

Mar 16 '07 #6
<ke*****@nospam.nospamwrote in message
news:ON****************@TK2MSFTNGP03.phx.gbl...
In .NET/C#, do you know approximately how you would test for the return of
a SQL syntax error?
try
{
// ADO.NET code
}
catch (SqlException ex)
{
// handle the error
}
Mar 16 '07 #7

Thank you Mark. A super-helpful first step.

-KF
"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:%2******************@TK2MSFTNGP05.phx.gbl...
<ke*****@nospam.nospamwrote in message
news:ON****************@TK2MSFTNGP03.phx.gbl...
>In .NET/C#, do you know approximately how you would test for the return
of a SQL syntax error?

try
{
// ADO.NET code
}
catch (SqlException ex)
{
// handle the error
}

Mar 16 '07 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: RL | last post by:
Hello Perl gurus, 1. I have a web page where I can push a button (dospawn.html). 2. This button calls a CGI script (spawnboss.cgi) 3. spawnboss.cgi calls a forking perl script (forkme.pl) 4....
7
by: Rolf Kemper | last post by:
Dear All, somehow I remember that such or similar question was discussed already somewhere. But I can't find it anymore. I have a template calling itself. As long it goes deeper into the...
6
by: Jan Roland Eriksson | last post by:
For those interested, read and rip it up as you wish :-) ===== Archive-name: www/stylesheets/newsgroup-faq Posting-Frequency: twice a week (mondays and thursdays) Last-modified: July 20, 2004...
13
by: Zeng | last post by:
Hello, Please help!!! I've been stuck on this issue for months. I just wonder if there is a way to programmatically evaluate expression strings such as ( ( 3 + 5 ) / 2 ) > 4 --> this...
2
by: freddy | last post by:
I would like to get more information on securing my windows apps from SQL injection attacks. There is so much stuff on web apps, but I can't find info on win apps. Can you help me
4
by: ss | last post by:
hi, can anybody gives me a sample code where the sql injection attack is validated. how can i do that in business logic layer and pass the error to the presentation tier I want the sample...
8
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any...
23
by: sandy | last post by:
I need (okay, I want) to make a dynamic array of my class 'Directory', within my class Directory (Can you already smell disaster?) Each Directory can have subdirectories so I thought to put these...
0
by: grbCPPUsr | last post by:
I am new to Python. I would like to use Python for the specialized purpose of dynamic expressions parsing & evaluation in my C++ application. I would like to encapsulate the expressions to be...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.