Can You Find SQL Injection Vulnerabilities with Spirent Avalanche NEXT?
An odd idea stroke me when watching the Avalanche NEXT presentation during Networking Tech Field Day – they have a fuzzing module that you can use to test whether your servers and applications survive all sorts of crazy illegal requests. Could that be used to detect SQL injection vulnerabilities in your web apps?
It seems the answer is YES (at least based on the answers they gave during the presentation), but it would be nice to have a more definitive one. Comments most welcome.
If nothing else, if you happen to have their appliance, it’s definitely a good idea to add the fuzzing stress test into your UAT test suite – it just might catch all those cases where server-side developers got sloppy because they expected that the JavaScript code in web browser performs input validation (an idea that makes everyone remotely familiar with how web works cringe in horror).
Watch the videos
To learn more about Avalanche NEXT watch the NFD6 videos: overview presentation and demo (with loads of geek fun).
Disclosure
Spirent was a sponsor of Networking Tech Field Day 6.
There are some owasp advices to prevent this kind of attacks: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Basically talks about use prepared queries (avoiding dinamic queries), use store procedures to detect anormal updates, beware of escaped characters,.. You can see other tools as Green Sql which is a database firewall with sql injection prevent features: http://www.greensql.com/ or use web application firewall with signatures of sql injections plus some other types attack signatures and use integrity monitor on databases, a approach in the same way as file integrity checkers but with database data.
Kind regards