Nmap has released a new NSE Script , HTTP-SQL-INJECTION.nse for the penetration testing , using Nmap for SQL Injection testing . This means the most popular network scanner now also offers to scan the web application for SQL Injection vulnerabilities . This Nmap script has a sole purpose of finding the SQL injection vulnerabilities . The script runs on NSE (Nmap Scripting Engine) , the Nmap built-in engine for running the scripts for Nmap .
http-sql-injection.nse works with nmap and uses Http spiders . The script spiders on HTTP servers and looks for any URL’s that might be vulnerable to SQL injection . http-sql-injection.nsewill also extract any forms found on the web app and tries to find any vulnerable form fields .
The script spiders an HTTP server looking for URLs containing queries. It then proceeds to combine crafted SQL commands with susceptible URLs in order to obtain errors. The errors are analysed to see if the URL is vulnerable to attack. This uses the most basic form of SQL injection but anything more complicated is better suited to a standalone tool.
Well the Nmap team seems to be doing great work Nmap Fans !!
Now this Network scanner has much wider application in penetration testing .