Briskinfosec - Global Cybersecurity Service Providers

  • +91 86086 34123

  • contact@briskinfosec.com

Stay Connected:

SQL Injection -Using Burp Suite | Briskinfosec
Image

SQL Injection -Using Burp Suite

SQL injection is an attack when an attacker persuades to “inject” his harmful/malicious SQL code into someone else’s database, and force that database to run his SQL. This could potentially ruin the database tables of the victim and can even compromise his sensitive and other important data’s.

We will see how we can identify SQL injection using Burp Suite. Burp Suite is a Proxy interceptor tool specifically using by penetration tester for web application penetration testing.

Using Burp To Detect SQL Injection Flaws

  • First, ensure that Burp is correctly configured with your browser.
  • Next Visit the web page of the application that you are testing.
  • Then Return to Burp and ensure “Intercept is on” in the Proxy “Intercept” tab.
  • Now send a request to the server. In this example by clicking the “Submit” button.

 

  • The request will be captured in the Proxy “Intercept” tab.
  • One way to test an application for SQL injection vulnerabilities is to send the request to Burp Scanner.
  • Right click anywhere on the request to bring up the context menu.
  • Click “Do an active scan”

  • Once the scan is complete, go to the Target “Sitemap” tab.
  • In this example, the Scanner has found a number of SQL injection issues.
  • Click on an individual issue to view the “Advisory” tab, which provides details about each specific vulnerability.
  • You can also view the requests and responses on the basis of which Burp has reported the issue.

 

Manual testing for SQL injection flaws

  • The request will be captured in the Proxy “Intercept” tab.
  • Right click anywhere on the request to bring up the context menu and click “Send to Repeater”.

  • Go to the “Repeater” tab.
  • Here we can input various payloads into the input field of a web application.
  • We can test various inputs by editing the values of appropriate parameters in the “Params” tabs.
  • In this example, we are attempting to reveal the credit card details held by the application.
  • Smith’ OR ‘1’ = ‘1 is an attempt to alter the query logic and reveal all the user information held in the table.

  • The response can be viewed in the “Response” panel of the Repeater tool.
  • Responses that warrant further investigation or confirmation can be viewed in your browser.

  • Click “Show response in browser”.
  • Paste the URL into the browser to view the response there.
  • In this example, the attack has yielded the credit card details of all users.

 

CONCLUSION:

Most beneficial ways to prevent SQL injections are:

  • By properly configuring the firewall in a manner that blocks the suspicious files without being bypassed.
  • By upgrading the latest framework for using a website.
  • Validating the request in the URL that comes from the origin and blocking immediately if any unsafe character persists.
  • WAF (Web Application Firewall) should be implemented mandatorily without fail.

 

SQL (Structured query language) based web attacks are a burning threat to all the information organizations. These attacks have been increasing steadily but in a stealthy way. To protect your company from all these kind of threats, approach a genuine security company for resolving your security flaws in a flawless manner. For in-depth insight of services, check out the services.

 

 

Comments

Add Your Comments

Name*
Email*
Your Comments*