ИСТИНА

Last year we came up with an idea of a systematic approach to evaluation of sql injection scanners, which was published here (http://andrewpetukhov.blogspot.com/2011/08/building-benchmark-for-sql-injection.html). Predictably, tools performed best at detecting error-based issues and worst – at doing blind sql injection with unstable html page. After publishing the first results we have gathered feedback, updated our test bench and re-evaluated current versions of popular tools (w3af, sqlmap, skipfish, burp pro). The talk provides an insight into capabilities and intelligence of the tools (especially for blind cases) as well as guidance on when and in what order to use the tools to achieve the best coverage and save more time. In the end we are going to share our experience (lessons learned, insights and failures) gained during the design and operation of our test bench.