As part of my job I test for web application vulnerabilities regularly. When it comes to SQL Injection, my methodology is to start by manually browsing the website and spidering it, then, sending the parameters that I suspect to interact with the Database to SQLMap.
Now, I'm wondering if this is the right way of looking for SQL Injection? Will SQLMap be able to find most types of SQL Injection or should I resort to manual testing instead?
Using SQLMap will be helpuf, since it scan for most well-known vulnerabilities and will save you some time and efford. But, the greatest threat is a hackers' imagination and ability to exploit something more complex and unusual than SQLMap can find. For me, the best way to check for sql injection vulnerabilities - and even more types of vulnerabilities - is to think out of the box. Become the attacker, not the defender. These tools (like SQLMap) are part of the solution, but not the solution.
I think you should check for SQL Injection vulnerabilities manually, because you have more probabilities to detect a vulnerability, also you adquire more experience as information security professional. On the other hand, it isn't good to trust tools like SQLMap; firstly, a tool doesn't have the experience and knowledge than a human has, a tool is limited to use different kind of SQL Injection explotations, so if you detect a SQL Injection vulnerability manually, you could adquire data to use in an automated process with SQLMap, in this way, you can take advantage of your knowledge about to detect SQL Injection vulnerabilities and how to use SQLMap for especific purposes; second, using SQLMap without a previous manual review could be dangerous, because, the SQL Injection could be part of any insert, delete or update statement, then if you don't configure SQLMap correctly, you could break the integrity of the database. Remember SQLMap and other similar softwares are just tools and you have to adquire the knowledge to use them correctly.
