Comments on: BSQL Hacker – Automated SQL Injection Framework http://www.darknet.org.uk/2008/09/bsql-hacker-automated-sql-injection-framework/ Ethical Hacking, Penetration Testing & Computer Security Sun, 08 Nov 2009 07:15:43 +0000 http://wordpress.org/?v=2.8.5 hourly 1 By: SpikyHead http://www.darknet.org.uk/2008/09/bsql-hacker-automated-sql-injection-framework/#comment-124890 SpikyHead Fri, 03 Oct 2008 07:02:14 +0000 http://www.darknet.org.uk/?p=1026#comment-124890 @Yami King I got that now.. yeah, I agree with you on this. preach secure coding day and night. But, the day is still very far away when applications will be invulnerable to such attacks... as still 99% of the developers are more focused towards features and performance on the cost of security issues. Till that day, these tools will help us earn our bread. ;) @Yami King
I got that now.. yeah, I agree with you on this. preach secure coding day and night. But, the day is still very far away when applications will be invulnerable to such attacks… as still 99% of the developers are more focused towards features and performance on the cost of security issues.

Till that day, these tools will help us earn our bread. ;)

]]> By: Yami King http://www.darknet.org.uk/2008/09/bsql-hacker-automated-sql-injection-framework/#comment-124887 Yami King Thu, 02 Oct 2008 10:24:05 +0000 http://www.darknet.org.uk/?p=1026#comment-124887 @ SpikyHead You are correct about the fact that these tools can still be useful and even necessary for security consultants and auditers. But my comment was especially aimed at the fact that there are still a lot of (web)applications vulnerable to SQL Injections, while it is one of the most documented attack around, and this should not be the case. The following is a bit abstract (maybe a bit too abstract) but I think you'll get the basic idea of what I meant: `Instead of making tools to test for SQL Injection vulnerabilities, make the application invulnerable to SQL Injections.` Though there is a sort of chicken and the egg problem here, since you need to test your application for SQL Injections to prove it is invulnerable, but that's not the point I wanted to make. @ SpikyHead
You are correct about the fact that these tools can still be useful and even necessary for security consultants and auditers.
But my comment was especially aimed at the fact that there are still a lot of (web)applications vulnerable to SQL Injections, while it is one of the most documented attack around, and this should not be the case.

The following is a bit abstract (maybe a bit too abstract) but I think you’ll get the basic idea of what I meant:
`Instead of making tools to test for SQL Injection vulnerabilities, make the application invulnerable to SQL Injections.`
Though there is a sort of chicken and the egg problem here, since you need to test your application for SQL Injections to prove it is invulnerable, but that’s not the point I wanted to make.

]]> By: SpikyHead http://www.darknet.org.uk/2008/09/bsql-hacker-automated-sql-injection-framework/#comment-124883 SpikyHead Thu, 02 Oct 2008 02:19:56 +0000 http://www.darknet.org.uk/?p=1026#comment-124883 Ididnt get a chance to check out the tools as yet.. @Yami I disagree, such tools are still very much needed. especially for security consultants to show the power of sql injection... or for security audits.. as well as for security new bees Ididnt get a chance to check out the tools as yet..

@Yami
I disagree, such tools are still very much needed. especially for security consultants to show the power of sql injection… or for security audits..

as well as for security new bees

]]> By: Yami King http://www.darknet.org.uk/2008/09/bsql-hacker-automated-sql-injection-framework/#comment-124866 Yami King Tue, 30 Sep 2008 17:54:56 +0000 http://www.darknet.org.uk/?p=1026#comment-124866 The tool itself is quite nice -though it still crashes sometimes over here- and can be proven useful in many situations. Especially the template functionality is timeless, not only for novices, but also for many people just trying to be productive. But there is one thing I dislike about these kinds of products, and it has something to do with the fact I just said the template functionality is timeless... That is, that these tools should not be necessary anymore, especially not since the SQL Injection and it's relatives (Blind SQL Injection, Deep Blind SQL Injection, etc..) are one of the most discussed and documented (web)application vulnerabilities out there. The tool itself is quite nice -though it still crashes sometimes over here- and can be proven useful in many situations. Especially the template functionality is timeless, not only for novices, but also for many people just trying to be productive.

But there is one thing I dislike about these kinds of products, and it has something to do with the fact I just said the template functionality is timeless… That is, that these tools should not be necessary anymore, especially not since the SQL Injection and it’s relatives (Blind SQL Injection, Deep Blind SQL Injection, etc..) are one of the most discussed and documented (web)application vulnerabilities out there.

]]>