[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

From: "Hoffman, Billy" <billy.hoffman@xxxxxx>
Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Date: Tue, 24 Jun 2008 21:35:01 +0000

In response to all the Mass SQL Injection attacks this year, Microsoft approached HP and the Web Security Research Group (formerly SPI Labs) for assistance. While there was nothing they could patch, Microsoft wanted to provide tools to help developers find and fix these issues. After a month of development HP created Scrawlr.

Scrawlr (short for SQL Injector and Crawler) is a free tool that will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr was designed specifically to help protect against these mass injection attack which are using Google queries to find older web applications and automatically injection them.  As such, Scrawlr crawls a websites using the same techniques as a search engine: it doesn't keep state, or submit forms, or execute JavaScript or Flash. This Scrawl is finding and auditing the pages that would have been indexed by the search engines.

To reduce false positives Scrawlr provides proof of the vulnerability results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Microsoft Announcement here: http://www.microsoft.com/technet/security/advisory/954462.mspx
HP WSRG Blog: http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx
Download here: https://download.spidynamics.com/Products/scrawlr/

Enjoy,
Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Michael S. Menefee
- Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Sven Vetsch / Disenchant

Prev by Date: [WEB SECURITY] Re: [Full-disclosure] The Extended HTML Form attack revisited
Next by Date: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Previous by thread: [WEB SECURITY] Troll post to the WASC list using my name
Next by thread: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site