Precautions before testing for sql injection of a web application

ktandel · 10-17-2014, 07:31 AM

What are the precautions that needed to be taken before testing for sql injection on a webpage to prevent damaging the integrity of that web application?

TenTenths · 10-17-2014, 08:23 AM

Take full backups and don't run tests on a live/production server.

ktandel · 10-31-2014, 08:07 AM

I heard the test could be run on live server and thats what I wish to know how it can be carried out ?

unSpawn · 11-01-2014, 10:16 PM

It's expected from a Live web application users will alter data. So what TenTenths wrote about making backups partially addresses that in that you have a data set that is (or should be) consistent up to the point that you start your pentest. Note prevention means keeping damage from happening, as in: inline IDS, reverse proxy, application firewall, well vetted code.

I agree you should not run pentests on Live production targets but on your staging area.
Then again some people only learn things the hard way...