SQL injection (SQLi) is one of the most common techniques online attacks. How can we detect it and protect ourselves from it?
The penetration testing (or "pentesting" in short) consists of simulating software attacks to identify their weaknesses. It is useful to identify vulnerabilities before they are detected and used by cybercriminals.
Pentesting tools - also known as penetration control tools - automate and accelerate the attack simulation process and detect vulnerabilities software. Given this, let's see what are the best test tools for SQL injection detection.
The OWASP Zed Attack (ZAP) proxy is one of the most popular free security tools. It is open source software that helps you to detect vulnerabilities in your web applications. It has many advanced features to meet the requirements of pentesters.
- It includes an automatic scanning option for automatic launch testing on a particular site and controls all types of security vulnerabilities.
- It has a headless mode for developing automation software.
- It has API features to control almost all of its features.
The w3af is a security testing platform designed to help you secure your applications on Internet. It is a free open source vulnerability tester that helps you detect and exploit security vulnerabilities in web applications. It has the ability to detect more than 200 vulnerabilities, including SQL injection.
- It supports automation with its own scripts set (text files with their commands on each line).
- It supports various types of logging console, even text files email reports - to enhance the credibility of the results of automation tools.
- It supports fuzzing engine that can import payloads into almost any part of HTTP requests.
- Supports extension of the tool via email reports (Python scripts).
In the field of ethical hacking, tSQLMAP is the main vulnerability tool based on SQL injection. It is an open source solution written in python language that automates the process of finding and exploiting SQL vulnerabilities with the ultimate goal of having complete control over the database and server in which he is.
- It supports the most common databases such as IBM DB2, Microsoft Access, Microsoft SQL Server, MySQL, Oracle, PostgreSQL and SQLite.
- Supports all major injection techniques, in particular Classic SQLi, including its subtypes (error-based SQLi and Union-based SQLi), Blind SQLi, including its subtypes (Boolean-based and time-based SQLi Blind), out-of -band SQLi and SQL injection based on stacked queries.
- Supports the recognition of password hash formulas and their solution.
- Supports searching inside and cleaning tables according to your settings.
- Supports running commands on the operating system and downloading their standard outputs if the database is supported.
For more information you can refer to the respective open source tools web pages.