Write for Us
If you are a Web site developer or a QA tester, you know how difficult it is to test against SQL Injection attacks.
SQL Injection is an attack on a Web application that passes ("injects") unauthorized SQL query/commands into a command stream by talking advantage of input that isn't validated, mainly from Web sites. Many Web pages take parameters from users through input form fields. By using those parameters to build an SQL string, a hacker can send various types of commands and queries to a SQL Server running the data access for the Web site.
For example, a basic HTML form might have two input fields to allow users to log in to a Web site with a username and password. If the database query that looks up the information relies on the user's input for its variables, without validating that input, the database can be compromised by adding a string to the password input field.
So:
SELECT id FROM login WHERE username = 'username' AND password = 'password';
Can become:
SELECT id FROM login WHERE username = 'username' AND password = 'password' OR 'x'='x';
Normally, the query is meant to look up 'password' and return true or false, but now the 'x'='x' part of WHERE will return true and allow a hacker to bypass the login whether or not the password is correct.
For more information on SQL Injection see www.acunetix.com/websitesecurity/sql-injection.htm.
Be aware that huge losses have occurred due to SQL Injection attacks. GUESS?, Inc. (the clothing manufacturer) and PetCo.Com have fallen victim to SQL Injection attacks. In February 2002, the GUESS? Web site was compromised by a SQL Injection attack that netted attackers an unknown number of customer credit card numbers. For information about these attacks, see www.securityfocus.com/news/6194.
Now that you know how vulnerable a Web site can be to a SQL Injection attack, you should also be aware that it is very difficult to test against SQL Injection, as there are many objects to test. For example, let us assume that you want to test a SQL Injection attack against a customer registration page. As you can imagine, because there can be a lot of text boxes to test, it can quickly become a very boring and repetitive task. Multiply this by the many different forms that may exist across a Web site.
Acunetix Web Vulnerability Scanner (WVS) allows you to test your Web sites automatically for vulnerabilities. For this review I tested only its ability to find applications that were susceptible to SQL Injection attacks, which it did quite well. WVS also checks against these other Web attacks:
This review was done using the following software and hardware configuration:
During installation, you will have to decide whether to enable database support. Enabling this option will allow you to store scan results in a SQL Server or Access database. You can enable, disable or change the type of database later in the configuration options.
WVS crawls your Web site and attacks your Web applications automatically to sniff out vulnerabilities. It can scan many different types of Web pages and files on all types of Web servers. You can set file type inclusions and exclusions in the options.
