Tuesday, 9 August 2011

How to get started on SQL Injection

Firstly, you need a good working knowledge of SQL. That may seem obvious but you can't just rattle off a bunch of SQL strings and have no idea what they are meant to be doing, what they are testing for and expect to test well.

Head over to here and diligently complete each of the exercises:


Secondly, get some pre-cooked SQL vectors to try out.

Go to http://ha.ckers.org/sqlinjection/ and try out the vectors MANUALLY

Do them manually to learn what they are, really read them and get familiar with SQL attack vectors. Try and construct some of your own given your knowledge of the app you're attacking.

Thirdly, Open Firefox and add 'SQL Inject Me'


Play with this add-on and see how it changes how you approach your testing. When you're done go to Firefox and click on "Tools > Add-Ons > Extensions > SQL Inject Me > Options > SQL Injection Strings" and add the bespoke vectors you created earlier.

Have fun!


Principle Test Architect, Test Hats.