NT OBJECTives announced NTO SQL Invader, a free tool which provides pen testers and developers the ability to quickly and easily exploit and demonstrate SQL Injection vulnerabilities in Web applications.
Most organizations understand that SQL Injection vulnerabilities put their sensitive data at risk and it has been the dominant method used in this year’s high-profile web application attacks; with millions of sites attacked in 2011.
Despite the fact that SQL injection is well documented and there are tools to discover the vulnerabilities, it has been very difficult to determine if the vulnerability can actually be exploited because most existing SQL Injection testing tools are executed from a command line, lack an intuitive user interface or are no longer supported.
Without the ability to clearly demonstrate the exploitability of a vulnerability, remediation efforts are often delayed and friction between security and development teams surfaces. NTO SQL Invader allows pen testers and developers to quickly and easily leverage a vulnerability to view the list of records, tables and user accounts on the back-end database.
NTO SQL Invader works as a stand-alone tool and also includes integration with NTOSpider’s reporting technology to assist pen testers and developers in quickly identifying and validating discovered vulnerabilities. While reviewing and confirming results from NTOSpider, users can leverage NTO SQL Invader to provide a polished, real-world proof-of-concept for the discovered SQL Injection vulnerabilities.
“Accurate vulnerability identification is a crucial and challenging task but it is only half the battle,” says Dan Kuykendall, co-CEO and CTO of NT OBJECTives. “We wanted to support organizations in their analysis and remediation efforts by providing an easy to use tool that enables penetration testers to demonstrate how these vulnerabilities can be exploited. We felt it was important to provide a free and useful tool to our customers and to the entire community.”
Product benefits overview:
Ease of use and validation – NTO SQL Invader’s GUI interface enables users to simply paste the injectable request found by the DAST tool into NTO SQL Invader and then select “Start Detecting Injection” to identify the injectable parameter/input. Users can also feed a more detailed request straight into NTO SQL Invader from NTOSpider’s report or BurpSuite. Once the injection is identified, the user is in control of how much information is harvested, all from the simple to use GUI interface.
Clear Presentation Evidence – NTO SQL Invader provides the evidence required to demonstrate that the vulnerability truly exists in a polished method that can be leveraged in both executive meetings and remediation discussions. NTO SQL Invader users execute are able to clearly shows the acquisition of data from the back-end database in a way that makes it easy for both technical and business viewers to understand. Sometimes it just takes a compelling screenshot or video to silence the skeptics on the validity of a vulnerability. While the command line tools are effective, they do not present polished, organized or clear information in a presentation setting.
Transportable logging data – All of the data harvested from NTO SQL Invader can be saved into a CSV file so the reports can be included as penetration evidence as part of a presentation or POC.