[WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

Zinho zinho at hackerscenter.com
Wed Jun 25 14:31:00 EDT 2008


Indeed my point was: if this static source code analysis tool really 
works, why relying on scrawlr?
Why not concentrating the two efforts into one reliable tool anyway?
The source code analyzer only scans ASP source, and AFAIK ASP seems to 
be the only affected (is .net too?) by the mass sqli.

I should give a try to the source analyzer later tonight.

----
Zinho

Webmaster and Founder
Hackers Center Internet Security Portal
www.hackerscenter.com

Mark Roxberry ha scritto:
>  
> Zinho,
>  
> Scrawlr is one of 3 tools recommended in the MS advisory for SQL 
> Injection vulnerabilities (Source Code Analyzer is one also):
>  
> Microsoft Security Advisory 
> 954462 (_http://www.microsoft.com/technet/security/advisory/954462.mspx_ 
> <https://exchange.waveseeker.com/exchweb/bin/redir.asp?URL=http://www.microsoft.com/technet/security/advisory/954462.mspx>)  
>
>  
> Microsoft / HP / Spilabs response to recent mass SQL injection 
> attacks.  The advisory contains information resources and links for 3 
> tools:
>
>    *
>       Scrawlr, a site crawler that looks for SQL Injection
>       vulnerabilities (free, lightweight)
>    *
>       URLScan 3.0 Beta, filters potentially dangerous urls
>    *
>       Microsoft Source Code Analyzer, looks for SQL injection code
>       smells in source code
>
> For a great analysis of what has happened with the mass SQL injection 
> attacks, read this post (worth the time):
> _http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx_ 
> <https://exchange.waveseeker.com/exchweb/bin/redir.asp?URL=http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx>
>
> Regards,
>  
> Mark Roxberry
>
> ------------------------------------------------------------------------
>
> > Date: Wed, 25 Jun 2008 10:03:58 +0200
> > From: zinho at hackerscenter.com
> > To: websecurity at webappsec.org
> > Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
> >
> > This is probably the best option for an ASP website owner
> > Microsoft Source Code Analyzer for SQL Injection tool is available to
> > find SQL injection vulnerabilities in ASP code
> > http://support.microsoft.com/kb/954476
> >
> > It should be able to check all kind of sqlinjections (at least
> > theoretically) not only those used by the recent botnets.
> >
> > It points you to the faulty code. Some average level of ASP coding will
> > be then required to fix it but from the advisory I read:
> >
> > "In addition to the tool itself, there is documentation included on 
> ways
> > to fix the problems it finds in the code it analyzes"
> >
> > So this should be very helpful.
> > I haven't tested it personally but a drawback here could be that it
> > doesn't demonstrate the existence of the sqli showing tables names. And
> > Billy is right, this is a greatly incentivising to go fix that bugs.
> >
> > ----
> > Zinho
> >
> > Webmaster and Founder
> >
> > Hackers Center
> > Internet Security Portal
> > www.hackerscenter.com
> >
> >
> >
> > Oliver Lavery ha scritto:
> > > I’d just like to add a positive voice to the chorus. I haven’t looked
> > > at Scrawlr yet, and most likely won’t, but the initiative is quite
> > > interesting coming from major software firms.
> > >
> > > Small, sharp, targeted solutions do have a very important place in
> > > preventing mass exploitation of vulnerabilities, and given that HTTP
> > > applications are a very weak link in the chain (of tubes), it’s nice
> > > to see vendors actively confronting the issue. A little surprising,
> > > but nice.
> > >
> > > Based on the description on this list, it sounds like the advisory
> > > might be trumpeting a little loudly:
> > >
> > > “[HP Scrawlr will] Test all discovered links for verbose SQL 
> injection
> > > by sending HTTP requests containing SQL injection attack strings in
> > > form fields, querystring parameters, and cookie values.”
> > >
> > > But throwing a hat into the arena, publishing an advisory, releasing
> > > several free tools, and offering free support for users impacted 
> by an
> > > issue that’s not provably *entirely* the vendor’s fault is 
> certainly a
> > > welcome change from “if every developer always followed our 
> guidelines
> > > to the letter this would be a non-issue”.
> > >
> > > Cheers,
> > > ~ol
> > > ---
> > > Oliver Lavery
> > > Security Compass
> > > http://www.securitycompass.com/
> > >
> > > “Security is mostly a superstition. It does not exist in nature....
> > > Life is either a daring adventure or nothing.”
> > > -- Helen Keller
> > >
> > >
> > > On 24/06/08 7:34 PM, "Hoffman, Billy" <billy.hoffman at hp.com> wrote:
> > >
> > > Michael, Zinho,
> > >
> > > I'm not sure why people seem to think Scrawlr is a replacement for
> > > existing tools like Absinthe or Nikto or Burp, etc. Its not and
> > > I'm sorry if you got that impression.
> > >
> > > Scrawlr exists for one reason: Some crazy hackers who read Chinese
> > > built this:
> > > http://isc.sans.org/diary.html?storyid=4294
> > >
> > > Microsoft came to us for that specific need. To help them provide
> > > developers with tools to prevent these mass exploits. Because the
> > > attack tool leverages search engines to find target pages Scrawlr
> > > crawls and behaves like an indexing spider. It then SQL injection
> > > all query parameters exactly like the attack tool. We then extract
> > > all the user tables (be it Oracle, MSSQL, Mysql >=5, etc) to
> > > confirm SQL injection before flagging it. I'm very happy with our
> > > results.
> > >
> > > Is the tool going to find issues behind auth or forms or other web
> > > components? No, but neither will the attackers using this mass
> > > exploit tool. Can they change tactics and use, for example, Nikto
> > > or Burp? Sure.
> > >
> > > Could we have released Scrawlr as more of a WI Lite? Yes, but that
> > > was never its intent. And if you need something that's more robust
> > > by all means grab a free trial of WI or another vendor, or Burp,
> > > or Nikto or script some w3af.
> > >
> > > Zinho, if you are finding bugs I'd love to learn more about them
> > > and get them fixed. Scrawlr supports proxies so that will help you
> > > see what is going on. Did the vuln page get crawled?
> > >
> > > At the end of the day it's a free tool folks designed to solve a
> > > certain issue. I'm certainly open to more feedback but let's keep
> > > its original goals in perspective.
> > >
> > > Thanks,
> > > Billy Hoffman
> > > --
> > > Manager, HP Web Security Research Group
> > > HP Software - Application Security Center
> > > Direct: 770-343-7069
> > >
> > >
> > > -----Original Message-----
> > > From: Zinho [mailto:zinho at hackerscenter.com]
> > > Sent: Tuesday, June 24, 2008 8:04 PM
> > > To: websecurity at webappsec.org
> > > Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and
> > > Crawler
> > >
> > > I have to agree with Michael. I tested it on both simple ASP and PHP
> > > pages with a clear sql injection. Nothing. The tool doesn't even
> > > seem to
> > > check for blind sqli.
> > > I think it merely gets the server's response and looks for known SQL
> > > errors. Not mentioning the limited crawling capabilities.
> > > I would have expected something more from HP/MS. Free tools around
> > > do a
> > > much better job.
> > >
> > > 
> http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-tool.html
> > >
> > >
> > > ----
> > > Armando Romeo
> > >
> > > Webmaster and Founder
> > >
> > > Hackers Center
> > > Internet Security Portal
> > > www.hackerscenter.com
> > >
> > >
> > >
> > > Michael S. Menefee ha scritto:
> > > > Billy,
> > > >
> > > > Although this is indeed a good step, there are already a plethora of
> > > > "free" sql injection scanners or exploiters that kick the crap 
> out of
> > > > this tool.
> > > >
> > > > However, I am extremely excited to see this kind of development
> > > in the
> > > > commercial space, and would like to see some enhancements to this
> > > > product. Now, if HPs goal is to push their commercial tools ($$$) by
> > > > pushing a limited "free" version, then I suppose none of this
> > > will ever
> > > > happen, but *at a minimum* it would be nice to be able to either
> > > modify
> > > > headers or input credentials where public sites are not the target.
> > > >
> > > > I tested this on 3 sites I knew to be vulnerable to SQL injection
> > > (all
> > > > ASP.NET, MSSQL), but either cookies or authentication were
> > > required to
> > > > actually test in these case, hence nothing was discovered with this
> > > > tool(lame).
> > > >
> > > > There's nothing worse than a free version of a product designed
> > > > exclusively for you to be left "wanting" and thinking about
> > > purchasing
> > > > the commercial version.
> > > >
> > > > If there are unseen or hidden options to this tool, forgive me,
> > > > otherwise I don't really see the value when so many better free 
> tools
> > > > exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Hoffman, Billy [mailto:billy.hoffman at hp.com]
> > > > Sent: Tuesday, June 24, 2008 5:35 PM
> > > > To: websecurity at webappsec.org
> > > > Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
> > > >
> > > > In response to all the Mass SQL Injection attacks this year,
> > > Microsoft
> > > > approached HP and the Web Security Research Group (formerly SPI 
> Labs)
> > > > for assistance. While there was nothing they could patch, Microsoft
> > > > wanted to provide tools to help developers find and fix these 
> issues.
> > > > After a month of development HP created Scrawlr.
> > > >
> > > > Scrawlr (short for SQL Injector and Crawler) is a free tool that 
> will
> > > > crawl a website while simultaneously analyzing the parameters of 
> each
> > > > individual web page for SQL Injection vulnerabilities. Scrawlr was
> > > > designed specifically to help protect against these mass injection
> > > > attack which are using Google queries to find older web
> > > applications and
> > > > automatically injection them. As such, Scrawlr crawls a websites
> > > using
> > > > the same techniques as a search engine: it doesn't keep state, or
> > > submit
> > > > forms, or execute JavaScript or Flash. This Scrawl is finding and
> > > > auditing the pages that would have been indexed by the search
> > > engines.
> > > >
> > > > To reduce false positives Scrawlr provides proof of the 
> vulnerability
> > > > results by displaying the type of backend database in use and a
> > > list of
> > > > available table names. There is no denying you have SQL Injection
> > > when I
> > > > can show you table names!
> > > >
> > > > Microsoft Announcement here:
> > > > http://www.microsoft.com/technet/security/advisory/954462.mspx
> > > > HP WSRG Blog:
> > > > 
> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
> > > > 8/06/23/finding-sql-injection-with-scrawlr.aspx
> > > > Download here: https://download.spidynamics.com/Products/scrawlr/
> > > >
> > > > Enjoy,
> > > > Billy Hoffman
> > > > --
> > > > Manager, HP Web Security Research Group
> > > > HP Software - Application Security Center
> > > > Direct: 770-343-7069
> > > >
> > > >
> > > > 
> ------------------------------------------------------------------------
> > > > ----
> > > > Join us on IRC: irc.freenode.net #webappsec
> > > >
> > > > Have a question? Search The Web Security Mailing List Archives:
> > > > http://www.webappsec.org/lists/websecurity/archive/
> > > >
> > > > Subscribe via RSS:
> > > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > > >
> > > > Join WASC on LinkedIn
> > > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > > >
> > > >
> > > >
> > > > 
> ----------------------------------------------------------------------------
> > > > Join us on IRC: irc.freenode.net #webappsec
> > > >
> > > > Have a question? Search The Web Security Mailing List Archives:
> > > > http://www.webappsec.org/lists/websecurity/archive/
> > > >
> > > > Subscribe via RSS:
> > > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > > >
> > > > Join WASC on LinkedIn
> > > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > 
> ----------------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/archive/
> > >
> > > Subscribe via RSS:
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > >
> > > Join WASC on LinkedIn
> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > >
> > >
> > > 
> ----------------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/archive/
> > >
> > > Subscribe via RSS:
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > >
> > > Join WASC on LinkedIn
> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > >
> > >
> >
> >
> > --
> > ----
> > Zinho
> >
> > Webmaster and Founder
> >
> > Hackers Center
> > Internet Security Portal
> > www.hackerscenter.com
> >
> >
> > 
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
>
>
> ------------------------------------------------------------------------
> The other season of giving begins 6/24/08. Check out the i’m 
> Talkathon. Check it out! 
> <http://www.imtalkathon.com?source=TXT_EML_WLH_SeasonOfGiving>


-- 
----
Zinho

Webmaster and Founder 

Hackers Center 
Internet Security Portal
www.hackerscenter.com


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list