SQLi Dumper – SQL Injection for anyone
Recently I’ve seen quite a few SQL injection attempts originating from an application called SQLi Dumper. The web applications being attacked were not susceptible to SQL injection and are behind my favourite web application firewall (Incapsula) which raises an alert then blocks the requests before they can reach the web servers.
I became fairly proficient using SQLMap to automate SQL injection when learning how to mitigate against such attacks and later for testing web applications. As I hadn’t heard of SQLi Dumper before I decided to take a closer look and discovered it makes launching SQL injection attacks even easier than using SQLMap.
This application even helps users find potentially vulnerable sites using Dorks. If you’re involved with writing or maintaining applications that connect to databases, particularly older websites/apps and aren’t aware how dangerous SQL injection can be the video below might be a bit of an eye opener.
SQLi Dumper – Guide to SQL Injection
SQL injection mitigation strategies
- Use prepared statements (parameterized queries)
- Escape all user originated input
- Ensure the database user only has the permissions it needs (ie only to databases/data it needs with only the functions it needs)
- Use a web application firewall such as Incapsula, CloudFlare or Akamai
Further information
OWASP SQL Injection Prevention – https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
SQLMap – http://sqlmap.org/