Can You Find SQL Injection Vulnerabilities with Spirent Avalanche NEXT?

An odd idea stroke me when watching the Avalanche NEXT presentation during Networking Tech Field Day – they have a fuzzing module that you can use to test whether your servers and applications survive all sorts of crazy illegal requests. Could that be used to detect SQL injection vulnerabilities in your web apps?

It seems the answer is YES (at least based on the answers they gave during the presentation), but it would be nice to have a more definitive one. Comments most welcome.

If nothing else, if you happen to have their appliance, it’s definitely a good idea to add the fuzzing stress test into your UAT test suite – it just might catch all those cases where server-side developers got sloppy because they expected that the JavaScript code in web browser performs input validation (an idea that makes everyone remotely familiar with how web works cringe in horror).

Watch the videos

To learn more about Avalanche NEXT watch the NFD6 videos: overview presentation and demo (with loads of geek fun).

Disclosure

Spirent was a sponsor of Networking Tech Field Day 6.

2 comments:

  1. This comment has been removed by the author.
  2. I think fuzz tools are used for developers to test invalid/random data against programs more that inject sql. You can use tools like this one which makes sql injection attacks (while fuzzing try to see how your app behaviour when get random data this sort of tools makes developed sql injection attacks): http://marathontool.codeplex.com/

    There are some owasp advices to prevent this kind of attacks: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

    Basically talks about use prepared queries (avoiding dinamic queries), use store procedures to detect anormal updates, beware of escaped characters,.. You can see other tools as Green Sql which is a database firewall with sql injection prevent features: http://www.greensql.com/ or use web application firewall with signatures of sql injections plus some other types attack signatures and use integrity monitor on databases, a approach in the same way as file integrity checkers but with database data.

    Kind regards
Add comment
Sidebar