SQL Injection Scanner 20 Credits
Discover SQL Injection vulnerabilities in web applications using OWASP ZAP
Sample Report
|Use Cases
|Technical Details
Sample Report
Here is a SQL Injection Scanner sample report:
- The report starts with a quick summary of the findings and risk ratings
- Each finding has a detailed explanation in terms of risk and recommendations
- The vulnerabilities are ordered by the risk level
SQL Injection Scanner - Use Cases
Find SQL Injection flaws in web applications by crawling and deep inspection of web pages and parameters. Powered by OWASP ZAP.
Website Penetration Testing
Speed-up your penetration test with this online scanner. It is already set-up and configured with the optimal settings for best results and performance. Just start the scan and come back later for results.
Self-Security Assessment
You can perform a self-security assessment in order to detect weaknesses in your own application. This will allow you to fix the vulnerabilities before being hit by real attackers.
Third-Party Website Audit
If you are a web development company, you can also show this report to your clients and prove that you have implemented the proper security measures in the application.
Technical Details
About
SQL Injection (SQLi) is one of the most well known web application vulnerabilities. It even has a dedicated chapter in the OWASP Top 10 project and it is a highly chased vulnerability in bug bounty programs.
SQL Injection occurs when the application uses untrusted input to construct SQL queries that are executed on a database. The input provided by an attacker may contain characters which could interfere with the SQL syntax and will result in arbitrary SQL queries performed on the database.
As a result, the risk of an SQL Injection vulnerability is that the attacker could:
The table below shows the differences between the Light scan and the Full scan:
SQL Injection occurs when the application uses untrusted input to construct SQL queries that are executed on a database. The input provided by an attacker may contain characters which could interfere with the SQL syntax and will result in arbitrary SQL queries performed on the database.
As a result, the risk of an SQL Injection vulnerability is that the attacker could:
- Read/write information from the database
- Read/write files from the disk (in certain conditions)
- Execute operating system commands on the database server (in certain conditions)
http://vulnapp.example.com/travel.jsp?id=x' UNION SELECT NULL, NULL, @@version -- '
The SQL Injection Scanner
The scanner works in two steps:- Spider the target: In this first step, the tool tries to identify all the pages in the web application, including injectable parameters in forms, URLs, headers, etc.
- Test for SQLi: For each page discovered in the previous step, the scanner will try to detect if the parameters are vulnerable to SQL Injection and report them in the results page.
The table below shows the differences between the Light scan and the Full scan:
| Scanner capabilities | Light scan | Full scan |
| Spider max URLs | 20 | 500 |
| Spider max duration | 1 minute | 15 minutes |
| Active scan max duration | 2 minutes | 30 minutes |
Warning:
The SQL Injection scanner generates some HTTP requests which can be flagged as attacks on the server side (although they are harmless). Do not use this scanner if you don't have proper authorization from the owner of the target website.
The SQL Injection scanner generates some HTTP requests which can be flagged as attacks on the server side (although they are harmless). Do not use this scanner if you don't have proper authorization from the owner of the target website.
Parameters
| Parameter | Description |
|---|---|
| Target URL | This is the URL of the website that will be scanned. All URLs must start with http or https. |
| Light Scan | This scan is faster but less comprehensive than the full scan. |
| Full Scan | This is a complete SQL Injection assessment of the target web application. |
How it works
The scanning engine used by the SQLi Scanner is OWASP ZAP, which is one of the world’s most popular open source security tools, actively maintained by hundreds of international developers.
The tool detects SQL Injection by inserting special characters (ex. ', ", 2*3) in all input fields of the target application and monitoring the web page's behaviour. If an error occurs, it is possible that an SQL Injection was found.
In order to validate the vulnerability, the SQL Injection scanner attempts to construct a syntactically correct SQL query which proves that the injection was successful. That is why you will see results such as:
The tool detects SQL Injection by inserting special characters (ex. ', ", 2*3) in all input fields of the target application and monitoring the web page's behaviour. If an error occurs, it is possible that an SQL Injection was found.
In order to validate the vulnerability, the SQL Injection scanner attempts to construct a syntactically correct SQL query which proves that the injection was successful. That is why you will see results such as:
http://vulnapp.example.com/bookings.php?cat=4 AND 1=1 --
The scanner does not attempt to exploit SQL injection, it just detects the presence of the vulnerability.
Detailed information about SQL Injection, including solutions on how to remediate this vulnerability can be found in the OWASP SQL Injection Page.