New module to help researchers identify valid sql injection vulnerabilities

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by greggles on August 11, 2014 at 4:31pm

For anyone who runs a "responsible disclosure" program, you are probably used to getting reports of SQL injection that are not valid. SQL Injection can be tough for an independent researcher to validate because demonstrating it either requires a lot of time (to fingerprint the structure and get some secret) or a damaging interaction (dropping some tables?) or both.

To help researchers submit only valid issues, I've developed a module that makes it easier to inject data (because the target table structure is well known) and validate their injections (because the url where the researcher can see if they were successful is well known).

The module is at https://www.drupal.org/sandbox/greggles/2319259

I'd love to get reviews or feedback about the concept!

Comments

Do modules like this violate

Posted by mpdonadio on August 11, 2014 at 4:42pm

Do modules like this violate the TOS for DO? I literally just wrote a similar module for XSS injection and hesitated making it public for fear of someone considering it malicious software or a hacker tool.

I think this is a little

Posted by greggles on August 11, 2014 at 6:53pm

I think this is a little different use case than what I imagine you are describing.

The module I built doesn't automate the process of performing sql injection nor make it easier to exploit a sql injection. It just makes it easier to prove if you have successfully performed a sql injection to a site that is running this module.

It sounds like you're talking about a module that spiders a site and injects xss and looks for the javascript in the response. That kind of module can be used for either testing/securing a site or for attacking a site.

That said, my opinion is that both kinds of modules have a legitimate purpose and should have a home on drupal.org. I believe the new Terms-of-Service will be clarified/interpreted so that both can be posted/hosted on d.o.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /