Checking an error message from a website.
Hey there. I'm planning a little app to analyze website URL's and check if they're vulnerable to SQL Injection. Now as I understand it, a commonly employed method for checking is to find query strings and put a little " ' " next to the parameter. Obviously this makes an invalid query and the server returns an error. I was wondering if Java has some classes that let's me check this error. I understand that a more web based language might be more appropriate, and if that is strongly the case then I have no problem moving onto something different, but being bumped in the right direction by someone would be quite nice!! Thanks guys :)
Re: Checking an error message from a website.
Surely that would only work if the website returned the error?
And, indeed, would be entirely dependent on the code used on the server?
PHP would be different from ASP would be different from Java...and then all the various frameworks underneath.
Re: Checking an error message from a website.
Agreed. But this is an error returned by the SQL engine,
Which makes it a lot more similar than first thought, In theory.
One solution I was thinking of was to attempt to navigate to
The Test URL, save the web page and open it as a text file,
Then use regular expressions to see if key phrases are flagged up.
Seems like quite a long winded solution, and I can already see some
potential problems ( websites about SQL perhaps). What do
You think?
Re: Checking an error message from a website.
What SQL engine?
And how does that message get from the database to the front end?
Maybe I'm confused here...are we talking about any websites, or a particular one in which this message is sent to the client browser?
Re: Checking an error message from a website.
Ah yeah that's a good point. The idea was
For this tool to work on any website but Yeah.
I was working on the assumption that most SQL errors are displayed
On the front end browser.. Might be a little bit more difficult than I first imagined :P
Do you have any ideas for a better solution?
Re: Checking an error message from a website.
Nope.
Displaying errors from the backend raw is considered a pretty big security hole.
No website I have worked on would do it. Any that haven't been handled and have managed to get all the way back to the top of the server stack are turned into generic "there's been a problem" errors.
So you won't be able to do what you're planning.
Re: Checking an error message from a website.
Ah well. Thank you for the advice!!!
