SQL Injection Scanning Tools (Logged In)

TL;DR

Yes! Several tools can help you find SQL injection vulnerabilities *while* you’re already logged into a web application. These are great for testing areas behind authentication, which traditional scanners often miss. This guide covers some options, from simple manual techniques to automated tools.

Scanning for SQL Injection Vulnerabilities While Logged In

1. Understand the Basics
   • SQL injection happens when user input is used directly in a database query without proper sanitisation.
   • When logged in, you can test areas of the application that require authentication – things like search functions, profile updates, or admin panels.
2. Manual Testing with Error-Based Injection

   This is a good starting point to see if basic injection works.

   1. Try adding single quotes (‘) to input fields. If you get a database error message, it’s a strong indicator of potential vulnerability.
   2. Example: If a search box expects a name, try entering ' instead of a real name.
   3. Look for clues in the error message – it might reveal the database type and structure.
3. Manual Testing with Boolean-Based Blind SQL Injection

   If errors aren’t shown, you can try to infer information using true/false conditions.

   1. Construct queries that return different results based on whether a condition is true or false.
   2. Example (assuming a user ID parameter): ' AND 1=1 -- and ' AND 1=2 --. If the first query works as expected, but the second doesn’t, it suggests injection is possible. The -- comments out any remaining part of the query after your injected code.
4. Using Burp Suite Professional

   Burp Suite is a powerful web application security testing tool. Its Intruder feature can automate injection attempts.

   1. Configure Burp to intercept requests to the target application.
   2. Identify the parameter you want to test (e.g., a search box or user ID).
   3. Use Intruder’s payload options to inject various SQL payloads. Burp has pre-built lists, or you can create your own.
   4. Analyse the responses for differences that indicate successful injection.
5. Using OWASP ZAP

   OWASP ZAP is a free and open-source web application security scanner.

   1. Configure ZAP to proxy traffic from your browser.
   2. Browse the target application while logged in, exercising the functionality you want to test.
   3. ZAP will automatically scan for vulnerabilities, including SQL injection. You may need to manually explore areas that require authentication.
6. SQLMap

   SQLMap is a dedicated SQL injection tool.

   1. Install SQLMap: pip install sqlmap (requires Python and pip).
   2. Use the following command to scan a specific URL with a GET parameter:

      sqlmap -u "http://example.com/page.php?id=1" --dbs

      . Replace the URL with your target.

   3. SQLMap can automatically detect and exploit many SQL injection vulnerabilities. It requires careful use, as it can be disruptive.
7. Important Considerations
   • Authentication: Ensure the tool you’re using can handle authentication correctly (e.g., by providing cookies or session tokens). Burp Suite and ZAP are good at this.
   • Scope: Only test applications you have permission to test!
   • Data Sensitivity: Be careful when exploiting vulnerabilities – avoid accessing sensitive data unnecessarily.
   • Logging: Keep detailed logs of your testing activities.