SQL injection is one of the most common methodologies for hacking ill-developed Web applications. This fine paper describes a recently created tool for performing SQL injection for penetration testing purposes.

Fault injection into systems and response monitoring is a general methodology for security assessment, for large organizations and for software quality and security analysis. SQL injection falls in this category. In broad terms, it happens when a specific text input is entered into a Web form that passes through to the back-end SQL Server and escapes the normal data handling, forcing the server to perform outside the normal application specifications. Furthermore, sometimes the errors returned by the SQL Server also provide information, so that subsequent injections do even more harm.

The so-called V1p3R (viper) tool presented in this paper, instead of randomly and exhaustively creating the text inputs that correspond to the SQL queries that usually expose the vulnerabilities, which is time consuming and inexact, has a smart engine that goes deeper than the brute force approach. Ciampa, Visaggio, and Di Penta nicely describe the viper’s structure and present some preliminary statistics that compare its effectiveness with other well-known tools. The results favor the viper tool’s performance, both in speed and in number of vulnerabilities detected. This is not surprising from a tool that incorporates intelligence in the form of a database of errors, a database of SQL strings, a Web crawler engine, a pattern matching manager, and, of course, the injector itself.

Both the paper and the presented tool will be useful to Web developers.