mailing list archives
Re: good database testing tools to guard against SQL injection for Microsoft, Oracle?
From: Mike <secfocus () mikesbytes com>
Date: Mon, 10 May 2004 15:34:24 -0700
At 5/10/2004 09:54 AM, Earl.Perkins () metagroup com wrote:
does anyone have recommendations for good database testing tools
to spot and correct potential exploitation opportunities for SQL
injection attacks in Microsoft and Oracle database environments?
Nessus (http://www.nessus.org) has worked well for me and it's free.
Basically, it scans the web server for scripts that accept input and tests
them for SQL injection problems. The output in the report looks like this:
The following URLs seem to be vulnerable to various SQL injection
Of course, there are plenty of commercial tools like AppScan
(http://www.sanctuminc.com/), WebInspect (http://www.spidynamics.com),
ScanDo (http://www.kavado.com/ProductsScando.htm) and numerous others that
claim to check for SQL injection vulnerabilities as well but I don't have
enough experience with them to recommend them.
- Re: good database testing tools to guard against SQL injection for Microsoft, Oracle? Mike (May 11)