Warning: fopen(newfile.txt): failed to open stream: Permission denied in /var/www/sqlfast/index.php on line 7

Warning: fwrite() expects parameter 1 to be resource, boolean given in /var/www/sqlfast/index.php on line 8

Warning: fwrite() expects parameter 1 to be resource, boolean given in /var/www/sqlfast/index.php on line 9

Warning: fclose() expects parameter 1 to be resource, boolean given in /var/www/sqlfast/index.php on line 10
SQLfast

What is SQLfast?

SQLfast (SQL Formal AnalysiS Tool) is a bash script which takes an ASLan++ specification as input and, by using the ASLan++ translator, generates a transition system in the low-level language ASLan. It then calls the model- checker CL-AtSe and generates an Abstract Attack Trace (AAT) as an MSC if an attack was found. SQLfast automatically detects which type of SQLi has been exploited and, in an interactive way, generates the curlcurl or sqlmap commands to concretize the SQLi reported. This helps the modeler in the testing of the AAT over the concrete web application.

Details on how the approach works can be found here.

 

How to create your own specification

In the textarea below you should write the behavior of the web application. If you are familiar with ASLan++, this means that you should NOT write the behavior of other entities but only the one that represents the web application.

GOAL examples:

Choose you goal:
Output
No output to display.

Download SQLfast

Tested on
  • Fedora release 20 (Heisenbug)
    GNU bash, version 4.2.53(1)-release (x86_64-redhat-linux-gnu)
  • Linux debian 3.16.0-4-amd64
    GNU bash, version 4.3.30(1)-release (x86_64-pc-linux-gnu)