[WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

Michael S. Menefee mmenefee at securesolve.com
Tue Jun 24 22:07:06 EDT 2008


Well if it does not account for form variables, then it doesn't really
account for much.....




-----Original Message-----
From: Bryan Sullivan [mailto:bryansul at microsoft.com] 
Sent: Tuesday, June 24, 2008 8:23 PM
To: Zinho; websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

No, it definitely does check for blind SQLi. Are your test pages
vulnerable through form inputs? As Billy said earlier, Scrawlr does not
submit forms.

-----Original Message-----
From: Zinho [mailto:zinho at hackerscenter.com]
Sent: Tuesday, June 24, 2008 5:04 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

I have to agree with  Michael. I tested it on both simple ASP and PHP
pages with a clear sql injection. Nothing. The tool doesn't even seem to
check for blind sqli.
I think it merely gets the server's response and looks for known SQL
errors. Not mentioning the limited crawling capabilities.
I would have expected something more from HP/MS. Free tools around do a
much better job.

http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-n
ew-SQL-Injection-tool.html


----
Armando Romeo

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com



Michael S. Menefee ha scritto:
> Billy,
>
> Although this is indeed a good step, there are already a plethora of
> "free" sql injection scanners or exploiters that kick the crap out of
> this tool.
>
> However, I am extremely excited to see this kind of development in the
> commercial space, and would like to see some enhancements to this
> product. Now, if HPs goal is to push their commercial tools ($$$) by
> pushing a limited "free" version, then I suppose none of this will
ever
> happen, but *at a minimum* it would be nice to be able to either
modify
> headers or input credentials where public sites are not the target.
>
> I tested this on 3 sites I knew to be vulnerable to SQL injection (all
> ASP.NET, MSSQL), but either cookies or authentication were required to
> actually test in these case, hence nothing was discovered with this
> tool(lame).
>
> There's nothing worse than a free version of a product designed
> exclusively for you to be left "wanting" and thinking about purchasing
> the commercial version.
>
> If there are unseen or hidden options to this tool, forgive me,
> otherwise I don't really see the value when so many better free tools
> exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Hoffman, Billy [mailto:billy.hoffman at hp.com]
> Sent: Tuesday, June 24, 2008 5:35 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>
> In response to all the Mass SQL Injection attacks this year, Microsoft
> approached HP and the Web Security Research Group (formerly SPI Labs)
> for assistance. While there was nothing they could patch, Microsoft
> wanted to provide tools to help developers find and fix these issues.
> After a month of development HP created Scrawlr.
>
> Scrawlr (short for SQL Injector and Crawler) is a free tool that will
> crawl a website while simultaneously analyzing the parameters of each
> individual web page for SQL Injection vulnerabilities. Scrawlr was
> designed specifically to help protect against these mass injection
> attack which are using Google queries to find older web applications
and
> automatically injection them.  As such, Scrawlr crawls a websites
using
> the same techniques as a search engine: it doesn't keep state, or
submit
> forms, or execute JavaScript or Flash. This Scrawl is finding and
> auditing the pages that would have been indexed by the search engines.
>
> To reduce false positives Scrawlr provides proof of the vulnerability
> results by displaying the type of backend database in use and a list
of
> available table names. There is no denying you have SQL Injection when
I
> can show you table names!
>
> Microsoft Announcement here:
> http://www.microsoft.com/technet/security/advisory/954462.mspx
> HP WSRG Blog:
>
http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
> 8/06/23/finding-sql-injection-with-scrawlr.aspx
> Download here: https://download.spidynamics.com/Products/scrawlr/
>
> Enjoy,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct:  770-343-7069
>
>
>
------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
>
------------------------------------------------------------------------
----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>



------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list