Tuesday, January 13, 2009

SQLiBENCH - Benchmarking tool for sqli injectors

| Armando Romeo |
SQL Injection exploitation is one of the (most important?) steps of a web application testing endeavours.
There are many tools around. Each with its unique feature. Each with its area of use.

What are the discriminating factors in actual sql injection tools? :
  • DBMS fingerprinting and support
    Some tools are capable to deal with with just a few version of the same DBMS others
    are capable of dealing with different DBMS
  • Speed in terms of number of requests required to achieve a given task (dump table, dump rows, gain privileges, read / write files...)
Techniques to exploit this kind of vulnerability have been refined to decrease the number of requests to web server at a minimum thus optimizing time consumed dumping and maximize results. There's no killer application here. Not a single tool that you can use for all of the DBMS, so far.

But at least we have SQLiBench. An OWASP powered project that aims at, guess what?, benchmark these tools.

The goal of the project is to create a detailed set of benchmarking criteria for automatic sql injection tools and applying these to a set of open source sql injectors, producing analysis/benchmarking reports. Additionaly, in a semi-academic manner, algorithms used by targeted sql injectors will be analyzed both implementation and complexity vise.

This is an extract of the great Tools Benchamarked matrix available here:

SQLiBench project page is here

Free Security Magazines