What are some of the available tools that can help identify SQL injection or XSS vulnerabilities in Web applications?
Manually checking for SQL injection and cross site scripting (XSS) vulnerabilities in today’s large and complex Web applications is a time-consuming task. It demands a high degree of expertise and up-to-date knowledge of the latest attacks. Using automated tools can speed up the review process while highlighting areas that manual reviews may need to investigate. They are an essential part of the application development process.
A good automated Web application vulnerability scanner crawls your entire website, testing all possible inputs such as forms and cookies, reporting where the URL or script is vulnerable to SQL injection, XSS and other vulnerabilities. I don't know the size of your organization or budget, so let's look at some of the free tools you can use.
Security Compass Inc. has developed a suite of Firefox add-ons for testing Web application security. These aren't automated tools, but they are easy to install and use, appearing in the Firefox tools menu. The free tools include XSS-Me for testing for certain XSS vulnerabilities, and SQL Inject-Me for SQL injection vulnerabilities. Both work by substituting values in your forms that are representative of these attacks. If the form fails the test, the tool marks the page as “vulnerable,” but doesn't actually try to compromise the application.
XSSploit, from SCRT Information Security, is an XSS scanner and exploiter written in Python. It first crawls your website, identifying and analyzing any forms it finds to detect any XSS vulnerabilities. If used as part of a penetration test, any vulnerabilities can then be exploited using the exploit generation engine to automatically create the exploit payload.
If you develop ASP-based applications, you can use Microsoft's Source Code Analyzer for SQL Injection, a static code-analysis tool that helps find SQL injection vulnerabilities in ASP code, while the free edition of Acunetix Inc's Web Vulnerability Scanner checks Web applications for various vulnerabilities, including SQL injection and XSS.
Using vulnerability scanners is good practice, but it has to be part of an overall secure development process, whereby you're looking to eradicate vulnerabilities at every stage of the development cycle, not just once application development is complete. Also, new attack vectors are being discovered all the time, and a clear result from a scanner doesn't necessarily mean your application is vulnerability free. XSS-Me, for example, comes with a comprehensive list of attack strings, but it can't currently handle different types of encodings that may evade detection and filtering functions.
You should perform regular scans of your Web applications, both those bought off-the-shelf and those custom-built, particularly after any changes to either the application or the system it’s running on. The OWASP Testing Project describes how to set up a best practice-testing framework with guidance on how to find certain issues. The fuzzer plug-in for their WebScarab project enables you to automate repetitive testing by sequentially sending a set of values to the application so the responses can be analyzed.
This was first published in August 2011