Briskinfosec - Global Cybersecurity Service Providers

Stay Connected:

SQL Injection -Using Burp Suite | Briskinfosec
Image

SQL Injection -Using Burp Suite

SQL injection is an attack where an attacker persuades to inject his malicious SQL code into someone’s database and then executes it to launch his SQL attacks. This could potentially ruin the database tables of the victim, and can even compromise his sensitive and other important data. In this blog, we will see how we can identify SQL injection using Burp Suite. Burp Suite is a Proxy interceptor tool specifically used by penetration testers for web application penetration testing.

Contents:

  • Using BURP to detect SQL Injection flaws
  • Prevention
  • Conclusion
  • How Briskinfosec helps you?
  • Curious to read our case studies?
  • Last but not the least
  • You may be interested on

Using Burp To Detect SQL Injection Flaws

First, ensure that Burp is correctly configured with your browser.

  • Next, visit the web page of the application that you are testing.

  • Then, return to Burp and ensure “Intercept is on” in the Proxy “Intercept” tab.

  • Now send a request to the server. In this example, by clicking the “Submit” button, it can be done.

  • The request will be captured in the Proxy “Intercept” tab.

  • One way to test an application for SQL injection vulnerabilities is to send the request to Burp Scanner.

  • Right click anywhere on the request to bring up the context menu.

  • Click “Do an active scan” for performing a scan.

  • Once the scan is complete, go to the Target “Sitemap” tab.

  • In this example, the Scanner has found a number of SQL injection issues.

  • Click on an individual issue to view the “Advisory” tab, which provides details about each specific vulnerability.

  • You can also view the requests and responses on the basis of which Burp has reported the issue.

 

Manual testing for SQL injection flaws

  • The request will be captured in the Proxy “Intercept” tab.

  • Right click anywhere on the request to bring up the context menu and click, “Send to Repeater”.

  • Go to the “Repeater” tab.

  • Here, we can input various payloads into the input field of a web application.

  • We can test various inputs by editing the values of appropriate parameters in the “Params” tabs.

  • In this example, we are attempting to reveal the credit card details held by the application.

  • Smith’ OR ‘1’ = ‘1 is an attempt to alter the query logic and reveal all the user information held in the table.

  • The response can be viewed in the “Response” panel of the Repeater tool.

  • Responses that warrant further investigation or confirmation can be viewed in your browser.

  • Click “Show response in browser”.

  • Paste the URL into the browser to view the response there.

  • In this example, the attack has yielded the credit card details of all users.

Prevention:

Most beneficial ways to prevent SQL injections are:

  • By properly configuring the firewall in a manner that blocks the suspicious files without being bypassed.

  • By upgrading the latest framework for using a website.

  • Validating the request in the URL that comes from the origin and blocking immediately if any unsafe characters persist.

  • WAF (Web Application Firewall) should be implemented mandatorily without fail.

Conclusion:

SQL (Structured query language) based web attacks are a burning threat to all the information organizations. These attacks have been increasing steadily, but stealthily. These attacks are also regarded as one of grotesque web-based cyberattacks of all time.

How Briskinfosec helps you?

Briskinfosec scrutinizes the attack surfaces and secures them. Further, our security folks perform intense security assessments and identify the secretly lurking vulnerabilities, obviously terminating all those in the next step. They also perform the process of input validation, and if the incoming requests are detected as vulnerable, they thwart them. If found valid and harmless, they permit it. We have successfully identified and jettisoned many SQL injection flaws during our assessments. If we can do for others, surely we can do such wonders also for you.

Curious to read our case studies?

We have a huge collection of case studies for significant security sectors like mobile, network, web-based, database, wireless, and much more. Read out our case studies to know the way we prospered during the challenge of vulnerabilities eradication.

Last but not the least:

The happenings of many global cyber breach incidents go unnoticed. This is due to the ubiquitous presence of them in indistinct websites, rather than all those being eligible for people to see and download from one spot at a single click shot. But, we present you a priceless gift disguised as a Threatsploit Adversary report which contains the globally occurred cyber breaches, the losses faced by companies, and much more. Instead of wandering here and there in search engines, just click our above report. You’ll save your time.

You may be interested on:


Image

Briskinfosec

Cybersecurity

Briskinfosec is a leading CyberSecurity Assessment company offering comprehensive security services, Solutions and compliance. Our CyberSecurity refers to the preventative techniques used to protect the integrity of networks, programs, data and websites from attack, damage, or unauthorized access.

Add Your Comments

Name*
Email*
Your Comments*