SQL Inject Me allows you to test for SQL injection vulnerabilities that hackers can use to hijack your data and modify the contents of a database. Some of these vulnerabilities will even allow an attacker to execute administrative operations on the database, which is disastrous. Typically, the web applications that are the most vulnerable to SQL Injection are those written in PHP or ASP, but this vulnerability affects other languages as well. The XSS Me tool will check for XSS vulnerabilities that can allow a hacker to gain elevated privileges within your web application or within other applications connected to your web application. These two tools alone will not allow you to test for every type of SQL injection and XSS vulnerability, but they will allow you to establish foundational testing practices for both categories of vulnerabilities. Once you have mastered the functionality of these tools, you can adopt tools that expand this functionality, such as Metasploit and Nexpose, both of which have freeware versions available.
Once you have prepared a tool to perform SQL injection testing, you need to determine how best to formulate attack strings that you can feed through the tool. Some tools already have a library of such strings that the tools automatically feed into your application under test. For the tools that do not, you must prepare your own SQL language attacks. This is not a trivial task, as there are many types of SQL injection attacks. The SQL injection attack is a form of a code injection attack, which means that rogue or malicious code is injected into the database layer through the client application. There are many resources on the web for advice on how to test for SQL injection vulnerabilities. (ITSecTeam.com has a very good paper on it ).
The testing of XSS involves checking whether a malicious script can be injected into the parameter of a web request, such as an HTTP GET request. Initially, this attack is typically performed right in the browser’s URL bar, which allows a hacker to determine quickly if your application is susceptible or not. There are actually two types of XSS attacks, reflected and stored. A reflected attack means that the injected code is reflected off of the web server and back to the user, typically via an email link that the user clicks. A stored attack means that the injected code is already sitting in a database or some other repository and the user inadvertently retrieves it when he fetches data from the database. The XSS Me tool will only help you test for reflected attacks. It will not help with stored attacks, so keep that in mind when planning your security testing strategy as you will want to adopt some other tool or penetration testing method to check for stored attacks.
When you are ready to adopt some advanced security testing tools, you should take advantage of another freeware tool called WebScarab. This tool is part of OWASP and has multiple features that will allow you to test for various categories of vulnerabilities. Its non-intuitive user interface is somewhat difficult to use, but it is a popular tool among the web application security testing community. The main benefit is that it allows for the interception and manipulation of HTTP traffic. This class of testing falls under the category of fault injection, which simply means that you are manually injecting carefully crafted faults into a request or a data stream. While WebScarab offers many diverse features for security testing, be aware that it will take some time to get familiar with and understand many of the features.
Many of these tools have features that need to be studied and understood before trying to utilize them. There is no sense trying to apply an advanced testing mechanism without knowing how to interpret the testing results on your particular application. It is best to start slow and master one or two testing features at a time before moving on.