Are there any tools for scanning for SQL injection vulnerabilities while logged in?

Let me offer you an easier alternative.

It is your website. You have access to the source code. Look through it and verify that all your database queries are parameterized. This is much much more efficient than scanning your website in the hopes that the tool you use tries the right injection at the right place.


There is a cookie option in sqlmap :

--cookie=COOKIE HTTP Cookie header

So you just need to paste your cookie and you will be able to use sqlmap as if you were logged.

If you need the list of all the options : https://github.com/sqlmapproject/sqlmap/wiki/Usage


You don't "fix" SQL injection problems. Well, people do, but that's wrong. What you must do is not to allow them to happen in the first place. The main tool for that is, as @TerryChia points out, parameterized SQL statements. Parameterized SQL statements are very effective at preventing SQL injection attacks, by being a generic and thorough solution; this is much better, incomparably better, than any kind of "input data sanitation".

SQL injection attacks occur because the Web site is trying to interpret user-provided data (field contents) as code (SQL is a programming language, after all). This implementation strategy is doomed. It cannot be really "fixed"; see this answer for some conceptual discussion on this subject.

"When the only tool you have is a hammer, then all problems have better be nails, because you're gonna hit them repeatedly on the head." Be aware that parameterized SQL statements, though widely applicable and efficient (more than traditional "dynamic" SQL statements), cannot do everything; there are very rare and specific contexts where dynamically building up SQL statements is the only solution. But this is not your situation -- you would already know it, and also all that I write in this answer.


SQL injection "testing tools" are not satisfactory in any way: they are not meant for ensuring security, but for attacking the "low-hanging fruit". They will miss the overwhelming majority of possible SQL injections. Their purpose is to allow a non-technical attacker to nevertheless believe he is some kind of elite-level hacker; or to automate attack attempts on thousands of distinct sites. What these tools will tell you is one-way: if they succeed in breaking into your site, then you know that the site is extremely vulnerable; however, if they fail, then you know nothing.

Nevertheless, if you want to get a tool past a "login session" system (despite all that I have explained above), then it depends on how the login is managed. Most Web sites will use a "login page" which results in setting a cookie value in the client; that cookie represents the "logged in" state and it suffices to send it back to the server to be considered as part of the "session". SQL injection test tools allow you to include arbitrary cookie values in the request, which is what you are asking for. See, for instance, the sqlninja documentation (search for the second occurrence of the "cookie" word in that page).