[WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

Oliver Lavery oliver at securitycompass.com
Wed Jun 25 00:24:22 EDT 2008


I¹d just like to add a positive voice to the chorus. I haven¹t looked at
Scrawlr yet, and most likely won¹t, but the initiative is quite interesting
coming from major software firms.

Small, sharp, targeted solutions do have a very important place in
preventing mass exploitation of vulnerabilities, and given that HTTP
applications are a very weak link in the chain (of tubes), it¹s nice to see
vendors actively confronting the issue. A little surprising, but nice.

Based on the description on this list, it sounds like the advisory might be
trumpeting a little loudly:

³[HP Scrawlr will] Test all discovered links for verbose SQL injection by
sending HTTP requests containing SQL injection attack strings in form
fields, querystring parameters, and cookie values.²

But throwing a hat into the arena, publishing an advisory, releasing several
free tools, and offering free support for users impacted by an issue that¹s
not provably entirely the vendor¹s fault is certainly a welcome change from
³if every developer always followed our guidelines to the letter this would
be a non-issue².

Cheers,
~ol
---
Oliver Lavery
Security Compass
http://www.securitycompass.com/

³Security is mostly a superstition. It does not exist in nature.... Life is
either a daring adventure or nothing.²
-- Helen Keller


On 24/06/08 7:34 PM, "Hoffman, Billy" <billy.hoffman at hp.com> wrote:

> Michael, Zinho,
> 
> I'm not sure why people seem to think Scrawlr is a replacement for existing
> tools like Absinthe or Nikto or Burp, etc. Its not and I'm sorry if you got
> that impression.
> 
> Scrawlr exists for one reason: Some crazy hackers who read Chinese built this:
> http://isc.sans.org/diary.html?storyid=4294
> 
> Microsoft came to us for that specific need. To help them provide developers
> with tools to prevent these mass exploits. Because the attack tool leverages
> search engines to find target pages Scrawlr crawls and behaves like an
> indexing spider. It then SQL injection all query parameters exactly like the
> attack tool. We then extract all the user tables (be it Oracle, MSSQL, Mysql
> >=5, etc) to confirm SQL injection before flagging it. I'm very happy with our
> results.
> 
> Is the tool going to find issues behind auth or forms or other web components?
> No, but neither will the attackers using this mass exploit tool. Can they
> change tactics and use, for example, Nikto or Burp? Sure.
> 
> Could we have released Scrawlr as more of a WI Lite? Yes, but that was never
> its intent. And if you need something that's more robust by all means grab a
> free trial of WI or another vendor, or Burp, or Nikto or script some w3af.
> 
> Zinho, if you are finding bugs I'd love to learn more about them and get them
> fixed. Scrawlr supports proxies so that will help you see what is going on.
> Did the vuln page get crawled?
> 
> At the end of the day it's a free tool folks designed to solve a certain
> issue. I'm certainly open to more feedback but let's keep its original goals
> in perspective.
> 
> Thanks,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct:  770-343-7069
> 
> 
> -----Original Message-----
> From: Zinho [mailto:zinho at hackerscenter.com]
> Sent: Tuesday, June 24, 2008 8:04 PM
> To: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
> 
> I have to agree with  Michael. I tested it on both simple ASP and PHP
> pages with a clear sql injection. Nothing. The tool doesn't even seem to
> check for blind sqli.
> I think it merely gets the server's response and looks for known SQL
> errors. Not mentioning the limited crawling capabilities.
> I would have expected something more from HP/MS. Free tools around do a
> much better job.
> 
> http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL
> -Injection-tool.html
> 
> 
> ----
> Armando Romeo
> 
> Webmaster and Founder
> 
> Hackers Center
> Internet Security Portal
> www.hackerscenter.com
> 
> 
> 
> Michael S. Menefee ha scritto:
>> > Billy,
>> >
>> > Although this is indeed a good step, there are already a plethora of
>> > "free" sql injection scanners or exploiters that kick the crap out of
>> > this tool.
>> >
>> > However, I am extremely excited to see this kind of development in the
>> > commercial space, and would like to see some enhancements to this
>> > product. Now, if HPs goal is to push their commercial tools ($$$) by
>> > pushing a limited "free" version, then I suppose none of this will ever
>> > happen, but *at a minimum* it would be nice to be able to either modify
>> > headers or input credentials where public sites are not the target.
>> >
>> > I tested this on 3 sites I knew to be vulnerable to SQL injection (all
>> > ASP.NET, MSSQL), but either cookies or authentication were required to
>> > actually test in these case, hence nothing was discovered with this
>> > tool(lame).
>> >
>> > There's nothing worse than a free version of a product designed
>> > exclusively for you to be left "wanting" and thinking about purchasing
>> > the commercial version.
>> >
>> > If there are unseen or hidden options to this tool, forgive me,
>> > otherwise I don't really see the value when so many better free tools
>> > exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Hoffman, Billy [mailto:billy.hoffman at hp.com]
>> > Sent: Tuesday, June 24, 2008 5:35 PM
>> > To: websecurity at webappsec.org
>> > Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>> >
>> > In response to all the Mass SQL Injection attacks this year, Microsoft
>> > approached HP and the Web Security Research Group (formerly SPI Labs)
>> > for assistance. While there was nothing they could patch, Microsoft
>> > wanted to provide tools to help developers find and fix these issues.
>> > After a month of development HP created Scrawlr.
>> >
>> > Scrawlr (short for SQL Injector and Crawler) is a free tool that will
>> > crawl a website while simultaneously analyzing the parameters of each
>> > individual web page for SQL Injection vulnerabilities. Scrawlr was
>> > designed specifically to help protect against these mass injection
>> > attack which are using Google queries to find older web applications and
>> > automatically injection them.  As such, Scrawlr crawls a websites using
>> > the same techniques as a search engine: it doesn't keep state, or submit
>> > forms, or execute JavaScript or Flash. This Scrawl is finding and
>> > auditing the pages that would have been indexed by the search engines.
>> >
>> > To reduce false positives Scrawlr provides proof of the vulnerability
>> > results by displaying the type of backend database in use and a list of
>> > available table names. There is no denying you have SQL Injection when I
>> > can show you table names!
>> >
>> > Microsoft Announcement here:
>> > http://www.microsoft.com/technet/security/advisory/954462.mspx
>> > HP WSRG Blog:
>> > http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
>> > 8/06/23/finding-sql-injection-with-scrawlr.aspx
>> > Download here: https://download.spidynamics.com/Products/scrawlr/
>> >
>> > Enjoy,
>> > Billy Hoffman
>> > --
>> > Manager, HP Web Security Research Group
>> > HP Software - Application Security Center
>> > Direct:  770-343-7069
>> >
>> >
>> > ------------------------------------------------------------------------
>> > ----
>> > Join us on IRC: irc.freenode.net #webappsec
>> >
>> > Have a question? Search The Web Security Mailing List Archives:
>> > http://www.webappsec.org/lists/websecurity/archive/
>> >
>> > Subscribe via RSS:
>> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>> >
>> > Join WASC on LinkedIn
>> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> >
>> >
>> >
>> > 
>> ----------------------------------------------------------------------------
>> > Join us on IRC: irc.freenode.net #webappsec
>> >
>> > Have a question? Search The Web Security Mailing List Archives:
>> > http://www.webappsec.org/lists/websecurity/archive/
>> >
>> > Subscribe via RSS:
>> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>> >
>> > Join WASC on LinkedIn
>> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> >
>> >
>> >
> 
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080624/c616e4f7/attachment.html>


More information about the websecurity mailing list