SQL All-In-One For Dummies by Allen G. Taylor

Author:Allen G. Taylor
Language: eng
Format: epub
ISBN: 9781119569596
Publisher: Wiley
Published: 2019-04-02T00:00:00+00:00

USING VULNERABILITY TESTING TOOLS

Some developers try to protect their sites from SQL injection attacks by using a drop-down menu to restrict data entry to legal values. Others place size limits on what can be entered in a data-entry field. These measures prevent a legitimate user from accidentally entering invalid data but don’t inconvenience an attacker. This client-side functionality can be bypassed easily, and you can send what you want to the database back end. Readily available tools can even assist you in this endeavor, such as add-ons to the Mozilla Firefox browser that expand its capabilities. Many tools are available to help you scan your site for vulnerabilities. Here are a few of these tools:

Web Developer: Web Developer is a Firefox add-on that you can download from https://addons.mozilla.org/en-US/firefox/addon/60. This add-on has a lot of functionality that doesn’t relate directly to website security. You can display the contents of all the cookies that the site being tested has set, for example. You can display the contents of the associated cascading style sheet and even edit it. More helpful to both website testers and attackers, you can view the source code behind a form, display details on entry fields, display hidden fields, show passwords, convert GET to POST or POST to GET, and remove the maximum length restriction on a data-entry field. You can also change a drop-down list to a field in which you can enter what you want.

Tamper Data: Tamper Data, another Firefox add-on, was so dangerous that it was withdrawn from the Firefox site. It is doubtless still available from less reputable sources. With it, you can view and modify headers and POST parameters on HTTP and HTTPS requests. It also gives you information about the server responding to your requests.

SQL Inject Me: The SQL Inject Me Firefox add-on has also been withdrawn from the Firefox site. It actually makes injection attacks on the active page in your browser.

Be careful when using this tool, because there are severe criminal penalties for computer crime, which your actions could be construed to be.

If you have permission to test a site for vulnerabilities, however — preferably in writing — you can use SQL Inject Me to discover weaknesses in a site. When you use this add-on with Web Developer and Tamper Data, you can get a clear idea of a site’s weaknesses.

SQL Inject Me hammers a website with a barrage of illegal inputs that have been known to compromise susceptible applications. Each such input constitutes a test. Out of several tens of thousands of tests, if even one fails, the application has a problem that could be exploited by a bad actor. It would be a good idea to address this issue now rather than after the proverbial horse has trotted out of the barn door.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.