SQL injection targets the database, so the first thing you need to figure out is which database (management system) is the application running against. Once this is determined then you can figure out how to target that specific system for sql injection.
Recently i have prepared a secutiy test plan for my project and i have observed intresting things abt Sql Injection and penetration testing.
SQL Injection: Is the process of adding SQL statements in user input. It is Used by hackers to:
Execute multiple SQL statements
Call built-in stored procedures
For this you need to
Sanitize all input
Consider all input as harmful until proven otherwise
Look for valid data and reject everything else
Consider the use of regular expressions to remove unwanted characters
Run with least privilege
Never execute as sa
Restrict access to built-in stored procedures
Use stored procedures or SQL parameterized queries to access data
Do not echo ODBC errors.
Comming to Penetration Testing:
It will be purely based on the Threat modelling section in your design documents.
I have one more doubt...
They are using Stored Procedures here..
So how can I check their security??
Will the SQl injection work on stored procedure also??
Or else I need to do any other type of testing