From: Dean H. Saxe (dean@fullfrontalnerdity.com)
Date: Fri Jul 15 2005 - 16:10:26 EDT
Nikto will not check for SQL Injection vulnerabilities in your code.
I'd suggest a manual pen test, for starters put a single quote in any
field -- don't forget hidden fields! If an error is returned, you
are subject to SQL injection. That will just scratch the surface,
however. Some languages, ColdFusion for example, do a great job of
escaping single quotes in most cases, so varchar/char fields are
generally not SQL injectable unless the developer goes about making
them injectable by using PreserveSingleQuotes(). So check up on your
language and how it handles these cases.
There are scanners out there, such as WebInspect by SPIDynamics
(imho, the best available today, even though I still avoid them all),
which will do this for you in addition to checking for XSS and known
server-level vulnerabilities. However, its my belief that these
types of scanners will only find the low hanging fruit and may not
find all vulnerabilities. Unfortunately, tools like WebInspect may
lead people into a false sense of security. Having been burned by
authorization flaws missed by tools like WebInspect in the past I
avoid them now and test manually.
In fact, I'm doing a web app pen test right now... which means its
time to stop emailing and start working. ;-)
-dhs
Dean H. Saxe, CEH
dean@fullfrontalnerdity.com
"To announce that there must be no criticism of the president, or
that we are to stand by the president right or wrong, is not only
unpatriotic and servile, but is morally treasonable to the American
public."
-- Theodore Roosevelt
On Jul 13, 2005, at 8:09 AM, Felipe Balbi wrote:
> I think nikto will serve your purposes.
> It's a perl script used to test web servers, very
> effective.
>
> Felipe Balbi
>
> --- Mike Tupker <mtupker@gmail.com> wrote:
>
>
>> We have a IIS web server setup on our DMZ with a
>> connection to our DB
>> server which is running MS SQL server 7. Does anyone
>> know of a program
>> that will check the code in a web page for
>> vulnerabilities such as SQL
>> injections, overflows, or anything else that I might
>> not be aware of?
>> Basically, I would like to know if there is any way
>> for someone to use
>> the server on the DMZ to get to the DB server and
>> cause damage.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT