SQL injections (SQLi) are an insidious form of attack that can access sensitive or private data. They first were discovered at the end of the last century. Despite their age, they are often used as an effective technique within the hacking tool bag. Here, we present the top SQLi detection tools.
Read more: Best Server Security Tools
Top SQLi Detection Tools
There are a great many SQLi detection tools, many of which are open source and available at GitHub. In addition to specialized SQLi detection tools, there are larger suites and proprietary packages that incorporate SQLi as part of their overall vulnerability-spotting capabilities. Several of these have been included here, too. Read on for our top picks, in no particular order.
Netsparker is a web vulnerability management solution that includes SQLi detection as one of its many features. It also focuses on scalability, automation, and integration.
The suite is built around a web vulnerability scanner and can be integrated with third-party tools. Operators don’t need to be knowledgeable in source code. The company also offers an SQL Injection Cheat Sheet to help in mitigation efforts.
The Netsparker platform uses Proof-based Scanning technology to identify and confirm vulnerabilities, indicating results that are definitely not false positives. In addition to SQL injection, it can identify cross-site scripting (XSS) and other vulnerabilities in web applications, web services, and web APIs.
SQLMap is an automatic SQLi and database takeover tool available on GitHub. This open-source penetration testing tool automates the process of detecting and exploiting SQLi flaws or other attacks that take over database servers.
It includes a detection engine; several ways to conduct penetration testing; and tools for database fingerprinting, data fetching, accessing underlying file systems, and executing commands on the operating system (OS) via out-of-band connections.
jSQL Injection is a Java-based tool that helps IT teams find database information from distant servers. It is another of the many free, open source ways to address SQLi. It supports Windows, Linux, and Mac operating systems and Java versions 11–17.
It is such an effective SQLi deterrent that it is included inside many other vulnerability scanning and penetration testing products and distributions. This includes Kali Linux, Pentest Box, Parrot Security OS, ArchStrike, and BlackArch Linux.
It also offers automatic injection of 33 database engines including Access, DB2, Hana, Ingres, MySQL, Oracle, PostgreSQL, SQL Server, Sybase, and Teradata. It provides the user with ways to address multiple injection strategies and processes and offers script sandboxes for SQL and tampering.
Havij was developed by an Iranian security company. It provides a graphical user interface (GUI) and is an automated SQLi tool, supporting several SQLi techniques. It has particular value in supporting penetration testers in finding vulnerabilities on web pages. While it is primarily for Windows, there are workarounds to get it functioning on Linux, too.
The web vulnerability scanner within Burp Suite uses research from PortSwigger to help users find a wide range of vulnerabilities in web applications automatically. For example, Burp Collaborator identifies interactions between its target and an external server to check for bugs invisible to conventional scanners, such as asynchronous SQL injection and blind server-side request forgery (SSRF).
Burp is also designed to handle dynamic content, unstable internet connections, API definitions, and web applications. Additionally, scan checks can be selected individually or by group, and custom configurations can be saved — such as a scan configuration to report only vulnerabilities appearing in the OWASP Top 10.
BBQSQL is a Python-based injection exploitation tool that takes a lot of the tedium out of writing custom code and scripting to address SQLi issues. It is mostly used when dealing with more sophisticated SQL injection vulnerabilities. As it is semi-automatic and database agnostic, it simplifies customization and is relatively easy to use.
It also makes use of Python-based tools to boost performance. Users provide data such as the URL impacted, the HTTP method, and other inputs as part of the setup. They must also specify where the injection is going, as well as the syntax being injected.
Blisqy deals with time-based blind SQL injection on HTTP headers. This kind of exploit enables slow data siphon from a database using bitwise operation on printable ASCII characters, via a blind-SQL injection. It supports the MySQL and MariaDB databases.
As it is written in Python, it can be imported into other Python-based scripts. Blisqy is a fast and efficient way to compensate for network lags and other delays, as its time comparison is dynamic and calculated at runtime for each test.
Acunetix Web Vulnerability Scanner
Acunetix by Invicti does SQL injection testing as part of its overall function, which is to scan web-based applications. Its multi-threaded scanner can crawl across hundreds of thousands of pages rapidly for both Windows and Linux. It identifies common web server configuration issues and is particularly adept at scanning WordPress.
Blind SQL Injection via Bit Shifting
Blind SQL Injection via Bit Shifting performs blind SQL injection by using the bit shifting method to calculate characters instead of guessing them. Bit shifting moves the position of the bits to the left or right. For example, 00010111 can be shifted to 00101110. The blind SQL module requires seven or eight requests per character, depending on the configuration.
Damn Small SQLi Scanner
Damn Small SQLi Scanner (DSSS), composed by one of the creators of SQLMap, is a compact SQLi vulnerability scanner composed of less than 100 lines of code. In addition to its use as a vulnerability scanner, this tool emphasizes its ability to perform some of the same tasks as tools that take up larger amounts of code.
However, as expected from its size, it has definite limitations. For instance, it only supports GET parameters and not POST parameters.
Leviathan is characterized as a mass audit collection of tools. As such, it contains a range of capabilities for service discovery, brute force, SQL injection detection, and running custom exploit capabilities. It includes several open source tools inside, including masscan, ncrack, and DSSS, which can be used individually or in combination.
In addition, it can discover FTP, SSH, Telnet, RDP, and MySQL services running in a specific country or in an IP range. The discovered services can then be subjected to brute force via ncrack. Commands can be run remotely on compromised devices. Specific to SQLi vulnerabilities, it can detect them on websites with country extensions.
NoSQLMap is a Python tool that can be used in audits. It is often used in the automation of SQL injection attacks and in finding exploit default configuration weaknesses in NoSQL databases and web applications that use NoSQL to disclose or clone data from a database.
This open-source tool is well maintained and could be looked upon as a cousin of SQLMap. As the name suggests, NoSQL addresses data models that are different from the tabular approach used in relational databases. But NoSQL databases do support SQL-like query languages and so are subject to SQLi. NoSQLMap focuses mainly on MongoDB and CouchDB. Future releases will expand its repertoire.
Tyrant SQL is a Python-based GUI SQL injection tool similar to SQLMap. Its GUI allows for greater simplicity. This makes it easier to use for beginners analyzing vulnerable links and determining where weaknesses lie.
Whitewidow is another open-source SQL vulnerability scanner. As it is automated, it can run through a long file list rapidly or scrape Google for potentially vulnerable websites.
Whitewidow also offers other features such as automatic file formatting, random user agents, IP addresses, server information, and multiple SQL injection syntax. This tool also offers the ability to launch SQLMap from within it.
However, Whitewidow isn’t so much a remediation tool as an educational one. It helps teach users what vulnerabilities look like, but it relies on SQLMap for greater SQLi detection capabilities.
Explo is a basic tool that was designed to describe web security issues in a human and machine-readable format. It defines a request/condition workflow, which allows it to exploit security issues without the need for writing a script.
Thus, it can address complex vulnerabilities, yet share them in a simple readable and executable format.
What Is SQL injection?
Structured query language, or SQL, is a language used heavily in relational databases such as Microsoft SQL Server, Oracle, IBM DB2, and MySQL. As databases tend to host sensitive information for enterprises, a malicious SQL injection can lead to leaking of sensitive information, web content modification, and deletion of data.
SQLi, then, exploits vulnerabilities that exist within SQL-based applications. Hackers inject code into SQL queries to enable them to add, modify, and delete database items.
But it isn’t just the databases that are affected. SQLi can spread to web applications and websites connected to an SQL database. According to the Open Web Application Security Project (OWASP), injection is the most prevalent threat to web applications.
Read more: How Does an SQL Injection Attack Work?
How Do You Prevent SQL Injection?
SQLi attacks execute malicious SQL queries and can be used to bypass application security, avoiding authorization and authentication logins and systems. Attacks vary widely depending on the type of database engine. The most common variants include user input-based SQLi, cookie-based SQLi, HTTP headers-based SQLi, and second-order SQLi.
Mitigation and prevention of SQLi is initially all about knowing which applications may be vulnerable — meaning any website that interacts with a SQL database. Vulnerability scans are a good way to assess where you might be at risk. Another approach is to conduct penetration testing. This is essentially trying to break into your system and find any flaws that can be exploited.
Of course, there are a host of SQLi detection tools on the market. Several should be incorporated into the IT troubleshooting arsenal.
Read more on eSecurity Planet: How to Prevent SQL Injection Attacks in 2022