Msg#: 4094368 posted 4:40 am on Mar 12, 2010 (gmt 0)
Have you tried Scrawlr? It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center and that's what its job is: crawl a website and searches for SQL Injection Vulnerabilities.
Msg#: 4094368 posted 4:30 am on Mar 14, 2010 (gmt 0)
SQL injection sounds scary but it doesn't have to be scary. Take a look at your site, find all of the places that allow user input like search boxes and account logins, and see if you can type code into the box. See if you can type base64 encoded commands etc. Test those areas yourself to see if the url changes, an error code is returned or something other than an error page is returned.
If I type in GOGOGOGO into your forum login box for example and press enter... I shouldn't then see example.com/forums/GOGOGOGO as the url.
There's not much an automated SQL injection test will catch that you can't on your own once you know what to look for, ultimately you want to be able to watch your own back so to speak.
I know of two really good scanners but I think its against TOS to post recommendations here.
Msg#: 4094368 posted 6:20 am on Mar 14, 2010 (gmt 0)
Yep, tried out Scrawlr and found no threats. I would like something that functions with more details and/or also does other threats. I do try to test my own scripts myself, but you can never be too safe nowadays.
A pay program is not a problem, but I want least want 1 unlimited free trial to get a feel if it's what I'm looking for, or not.
JS_Harris, would it be possible to sticky me a link?