Miroslav Stampar on database security, open source projects, and the future of SQLmap

SQLmap is an open source pen testing tool that can detect and exploit database vulnerabilities, with options for injecting malicious code to simulate attacks.

Founded by Daniele Bellucci in 2006, the project was soon taken over by Bernardo Damele, who developed and promoted it, most notably at Black Hat Europe 2009.

Later that year, Miroslav Stampar answered a call for developers and joined the project.

With SQL injection still cited as the biggest web application security risk in 2019, The Daily Swig caught up with Stampar to find out what’s been going on behind the scenes at SQLmap and how the developers are looking to further help organizations shore up their database defenses.

What led you to become involved in the SQLmap project?

Miroslav Stampar: At that time I was a young professional software developer and long-time security enthusiast seeking something new and cool in the ‘hacking’ arena. There is a really funny anecdote, which is a big part of the project’s history: When I first spotted Bernardo’s call for developers, I actually thought it was related to another project called SQID – SQL injection digger – which I liked the most out of all SQL injection tools I had tried up until that point. After a year or two, out of the blue, I suddenly realised that I was working on a different project for the whole time.

How has SQL injection evolved as an attack vector over the years?

MS: SQL injection is one of the most potent vulnerabilities in internet history. Over two decades from the first documented occurrence, it is still at the top of OWASP Top 10 most critical web application security risks. It peaked in 2008-2011, which was a turbulent period of massive breaches and hacktivism.

While the vulnerability has basically stayed the same, there has been a noticeable improvement in inherent protection of web applications. Some programming mistakes are less risky than 10 years ago, because the underlying web-to-database application mechanisms started to inspect the user-provided data format.

Technologies such as Microsoft ASP.NET and Web Application Firewalls (WAF) drastically reduced the attack plane. It is becoming more and more difficult to exploit the vulnerability.

What’s your primary userbase? Do you need to be an experienced webadmin/pen tester, or can anyone start to use SQLmap?

MS: In general, the userbase is comprised of people who know how to run Python programs and who know basic web terms such as URL address, GET parameters, and POST body.

The average user won’t ever need to touch the majority of switches and/or options, as SQLmap tends to automatically remove the burden of fine-tuning the whole detection and exploitation process.

Nevertheless, the main obstacle seems to be the requirement to run SQLmap in console mode. Many people either don’t know how, or have a negative attitude against console applications, although we plan to eventually release a GUI version.

One important thing to mention here is the handling of such a large userbase. There is a described procedure which users should follow in reporting their own problems while running SQLmap in particular cases. The procedure is there for a reason: to help us in detecting, reproducing, and patching the code (if there is anything to patch).

If this procedure is not followed – especially by enthusiastic ‘newbies’ – this inevitably results in sporadic clashes of egos, which procured me the status of BOFH (Bastard Operator From Hell).

How important is it that SQLmap is an open source project?

MS: One of the main factors of SQLmap’s success is, for sure, its open source code. As there is nothing to hide, everyone can take a look inside and maybe learn something, or give us advice on improving parts of it.

I believe that my programming skills started to improve noticeably from the moment I decided to leave my code open for the scrutiny of unknown reviewers. When you do a closed source development, visibility of the project and yourself is drastically reduced.

What do you think of noSQLmap? Are you exploring the development of any other tools that might help databases not underpinned by SQL?

MS: SQL and NoSQL are two different beasts. While in SQL injection you really need only one vulnerable parameter to pivot through the backend database management system’s stored content, in the case of NoSQL you either target the misconfiguration of the service itself – direct access through the internet accessible port – or you have a pretty limited ‘injection’ potential in the web application part.

Now, ideally, both cases would both have an ‘injection’ as a primary attack plane, which would lead to some kind of merging of those two projects. The reality is different, and that prevents us in SQLmap from expanding in this area.

Nevertheless, personally, I would never say never to NoSQL(map), as I have a feeling that it has potential. Maybe with some quality research and working hours could be noticeably expanded and improved as an attack vector. Am I interested? Maybe.

Are any features of SQLmap geared towards other platforms, such as the cloud?

MS: One critical feature of SQLmap is the ability of users to stay hidden at all times. This basically means that if users use adequate steps – for example VPN or Tor – SQLmap won’t try to send any kind of private information to third parties.

Even as the unhandled issue reporting mechanism removes any kind of ‘sensitive’ information that could reveal the identity of its user, it is up to the user to send it voluntarily to our GitHub repository. Thus, our strong belief is that any kind of ‘clouding’ would just scare part of our user base.

What’s on the horizon for SQLmap in 2019?

MS: Prototyping GUI support, slowly switching from Python2 to Python3, and continuous testing in our own virtual environment.