Home page logo

basics logo Security Basics mailing list archives

RE: BlackBox testing for SQL injection
From: "Miguel Dilaj" <mdilaj () nccglobal com>
Date: Wed, 29 Jun 2005 08:43:51 +0100

Hi Michael,

Well, usually you don't know these if you're a pentester.
Look for the papers entitled "Advanced SQL Injection" and "More Advanced SQL
Injection" (probably at http://www.ngssoftware.com/papers.htm).
In one of them you've the process to discover table structure.
Using SQL abstracts you from source code worries.


-----Original Message-----
From: mickael kael [mailto:mickael.kael () gmail com] 
Sent: 28 June 2005 11:08
To: security-basics () securityfocus com
Subject: BlackBox testing for SQL injection


I want to know if it is possible to find real SQL injection with blackbox
tool. For example, parosproxy print some alerts of SQL injection params. 
But how can we test it if we don't know table structure and source code ? 

Thanks in advance for your idea,

Best Cordially,


This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]