Test your website for SQL injection attack and prevent it from being hacked.
SQLi (SQL Injection) is an old technique where hacker executes the malicious SQL statements to take over the website.
SQL injection is considered as high severity vulnerability, and latest report by Acunetix shows 23% of the scanned target were vulnerable from it.
SQLi can be dangerous as this can be used to steal sensitive information like credit card, password, etc.
Since SQL (Structured query language) database is supported by many web platform (PHP, WordPress, Joomla, etc.), it could potentially target a large number of website.
So you see it’s essential to ensure your online business website is not vulnerable of SQLi and the following will help you to find if any.
Note: Performing SQL injection generates high network bandwidth and send a lot of data so ensure you are the owner of the website you are testing.
1. SQL Injection Testing with Sqlmap
Online SQLMAP by FPentest identify the database system is running and perform the following six SQL injection techniques.
- Time-based blind
- UNION query-based
- Boolean-based blind
- Stacked queries
Detecting SQL Injection flaws online by suIP.biz support MySQL, Oracle, PostgreSQL, Microsoft SQL, IBM DB2, Firebird, Sybase, etc. database.
It is powered by SQLMap so will test against all six injection techniques.
Acunetix checks your website for more than 3000 vulnerabilities including SQL injection. If you are looking for compressive security scan, then give a try to Acunetix.
Acunetix provides detailed reporting where you can filter the risk items based on the severity to prioritize the fixes.
4. SQL Injection Test Online
Another online tool by Hacker Target based on SQLMap to find bind & error based vulnerability against HTTP GET request.
5. Scan My Server
You get detailed report with a rating and also an option to schedule your scan weekly or monthly, so you get notified when any vulnerabilities found.
Vega is an open-source security scanner software which can be installed on Linux, OS X, and Windows.
Vega is written in Java and it is GUI based.
Not just SQLi but you can use Vega to test many other vulnerabilities such as:
- XML /Shell/URL injection
- Directory listing
- Remote file includes
- And much more…
Vega looks promising FREE web security scanner.
SQLMap is one of the popular open source testing tools to perform SQL injection against relational database management system.
Sqlmap enumerates users, password, hashes, roles, database, table, columns and support to dump database tables entirely.
If you use Kali Linux, then you can use SQLMap there too without installing it.
8. SQL Inject Me
SQL Inject Me is a Firefox add-ons send database escape strings through HTML form fields and look for the error message in the output page.
If you are designing a form connecting to a database on localhost and would like to test before putting on the live server, SQL Inject Me would be a good choice.
Netsparker is one of the popular web security scanners comes in desktop or cloud version. It detects a large number of security flaws including OWASP top 10.
Netsparker can be integrated into software development life-cycle for continuous security.
Appspider by Rapid7 is a dynamic application security testing solution to crawl and test a web application for more than 80 types of attack.
Unique feature by Appspider called vulnerability validator let the developer reproduce the vulnerability in real-time.
This becomes handy when you have remediated the vulnerability and would like to re-test to ensure the risk is fixed.
The above tools will test and let you know if your website has SQL injection vulnerability. If you are wondering how to protect your site against SQL injection, then the following will give you an idea.
The poorly coded web application is often responsible for SQL injection, so you got to fix the vulnerable code. However, another thing you can do is to implement the WAF (web application firewall) in front of the application.
There are two possible ways to integrate WAF with your application.
- Integrate WAF in Web Server – you can use WAF like ModSecurity with Nginx, Apache or WebKnight with IIS.
- Use cloud-based WAF – probably the easiest way to add site protection is by implementing the website firewall.
The good thing is it will work for any website whether hosted on shared or cloud. It doesn’t require any installation, and you can get it started in less than 10 minutes.
SUCURI Website Firewall
Cloudflare is well known for CDN and security which offer WAF starting from PRO plan.
Some more you can check out
I hope above to give you an idea about how to test and fix the SQL injection and other web vulnerabilities.