[WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Curt Wilson
curtw at siu.edu
Wed Jun 25 11:21:34 EDT 2008
The HP tool is appreciated and it is a good sign. Thanks Billy.
I checked out Pangolin, and was a little bit suspicious of it's binary
download. The binary has been analyzed by VirusTotal and there are six
indicators of Rbot. Could be a false positive, but I'm uneasy about it.
This was already discussed on this list in March of this year, but I
thought it was worth mentioning since the tool was referenced.
http://www.virustotal.com/analisis/dd9e99a2d7f4750ad3ff2c313b65b418
http://lists.virus.org/websecurity-0803/msg00056.html
I have not personally reverse engineered the binary to determine if this
is a false positive but a binary only download makes me suspicious.
Michael S. Menefee wrote:
> Billy,
>
> Although this is indeed a good step, there are already a plethora of
> "free" sql injection scanners or exploiters that kick the crap out of
> this tool.
>
> However, I am extremely excited to see this kind of development in the
> commercial space, and would like to see some enhancements to this
> product. Now, if HPs goal is to push their commercial tools ($$$) by
> pushing a limited "free" version, then I suppose none of this will ever
> happen, but *at a minimum* it would be nice to be able to either modify
> headers or input credentials where public sites are not the target.
>
> I tested this on 3 sites I knew to be vulnerable to SQL injection (all
> ASP.NET, MSSQL), but either cookies or authentication were required to
> actually test in these case, hence nothing was discovered with this
> tool(lame).
>
> There's nothing worse than a free version of a product designed
> exclusively for you to be left "wanting" and thinking about purchasing
> the commercial version.
>
> If there are unseen or hidden options to this tool, forgive me,
> otherwise I don't really see the value when so many better free tools
> exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Hoffman, Billy [mailto:billy.hoffman at hp.com]
> Sent: Tuesday, June 24, 2008 5:35 PM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>
> In response to all the Mass SQL Injection attacks this year, Microsoft
> approached HP and the Web Security Research Group (formerly SPI Labs)
> for assistance. While there was nothing they could patch, Microsoft
> wanted to provide tools to help developers find and fix these issues.
> After a month of development HP created Scrawlr.
>
> Scrawlr (short for SQL Injector and Crawler) is a free tool that will
> crawl a website while simultaneously analyzing the parameters of each
> individual web page for SQL Injection vulnerabilities. Scrawlr was
> designed specifically to help protect against these mass injection
> attack which are using Google queries to find older web applications and
> automatically injection them. As such, Scrawlr crawls a websites using
> the same techniques as a search engine: it doesn't keep state, or submit
> forms, or execute JavaScript or Flash. This Scrawl is finding and
> auditing the pages that would have been indexed by the search engines.
>
> To reduce false positives Scrawlr provides proof of the vulnerability
> results by displaying the type of backend database in use and a list of
> available table names. There is no denying you have SQL Injection when I
> can show you table names!
>
> Microsoft Announcement here:
> http://www.microsoft.com/technet/security/advisory/954462.mspx
> HP WSRG Blog:
> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
> 8/06/23/finding-sql-injection-with-scrawlr.aspx
> Download here: https://download.spidynamics.com/Products/scrawlr/
>
> Enjoy,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct: 770-343-7069
>
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
--
Curt Wilson
SIUC IT Security Officer & Security Engineer
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
More information about the websecurity
mailing list