How can I create an innocuous SQL injection attempt to test apps and evaluate the result programmati

[Guest]

There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.

We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.

I am curious if a) I'm correct about this, and b) if anyone could suggest a
starting point for a "safe" injection test and an evaluation of the result
using C# / ASP.NET.

Thanks,
-KF

 

[Lau Lei Cheong]

Some examples of SQL injection can be found here:
http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/

Anyway, if you follow the guidelines here
http://msdn2.microsoft.com/en-us/library/ms998271.aspx (like use the
SQLParameter object to pass the parameters), your program should not be
vulnerable to common SQL injection.

 

[Guest]

Thank you for your links. I understand the nature of SQL injection and how
to safeguard against it using the common methods: string checking, type
checking, white listing, blacklisting, various mechisms associated with the
database and database interactions.

What I'm looking for now is a safe way to scan sites for vulnerabilities,
just as those expensive tools do. This would help people who know very
little, or who are non-technicians: they can at least recognize that they
have a problem. I need to know how to perform a non-destructive check, and
to evaluate the success or failure of my non-destructive check. My purpose
here is to write some code and maybe even an open-source tool that people
could use to check sites for SQL injection vulnerabilities.

-KF

 

[bruce barker]

the easiest test is to enter a single ' into each form field. if you get
a sql syntax error on postback you have an open door.

-- bruce (sqlwork.com)

 

[Mark Rae]

the easiest test is to enter a single ' into each form field. if you get a
sql syntax error on postback you have an open door.

Indeed. In fact, of all the SQL Injection testing sites I've seen, this is
pretty much the first thing they try...

 

[Guest]

Thanks, guys.

In .NET/C#, do you know approximately how you would test for the return of a
SQL syntax error? Does it return some kind of error code that could be
captured and evaluated by the app, or is another approach going to be
required?

Does anyone know of other tests that SQL Injection test suites commonly do
besides what Bruce and Mark suggested?

Thanks, this is helpful.

-KF

 

[Mark Rae]

In .NET/C#, do you know approximately how you would test for the return of
a SQL syntax error?

try
{
// ADO.NET code
}
catch (SqlException ex)
{
// handle the error
}

 

[Guest]

Thank you Mark. A super-helpful first step.

-KF