When testing for SQL injection bugs, you need to find the places where user -supplied data is used when interacting with a SQL statement. The following are some tips to help you get started hunting for SQL injection bugs .
Identify places where SQL queries are constructed using user-supplied data, and attempt to cause a SQL injection for each one.
Review the permissions on objects, databases, views, custom stored procedures, and so forth to identify any weak permissions that could lead to elevation of privilege attacks if there is a SQL injection. Make sure to connect to the database using a user account that has only the permissions needed.
Use SQL Server Profiler with the SQLInjection template to trace all of the SQL statements that the database executes, including nested statements contained within stored procedures.
Attempt to break out of a statement using single quotation marks, but also remember that some queries require different techniques to break out, such as using a semicolon, closing parenthesis, comments, or bracket .
Look for queries that allow the user to specify the sort order of the results, such as using ASC and DESC . Often, these are appended to the end of the query, so they could allow SQL injection.
Look for queries that are dynamically created without using SQL parameters, especially if they contain user-supplied data. There is a high risk that an attacker can cause a SQL injection in these queries.
Look for LIKE clauses to see whether you can alter the behavior of the statement using wildcard characters that shouldnt be allowed.
Look for places in the stored procedure code that use the EXEC , EXECUTE , or sp_executesql to execute a dynamic query that was constructed using user data.
Look for data truncation issues, especially when using QUOTENAME and REPLACE , in variables that hold user data and are used to execute dynamic SQL statements.
Remember that injection bugs are not limited to SQL. Other technologies, such as HTML, XPath, and LDAP, are also vulnerable to similar attacks.
If QUOTED_IDENTIFIER is set to OFF , double quotation marks can be used in place of single quotation marks, so dont forget to try them as well.