[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- From: Bryan Sullivan <bryansul@xxxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- Date: Tue, 24 Jun 2008 17:22:58 -0700
No, it definitely does check for blind SQLi. Are your test pages vulnerable through form inputs? As Billy said earlier, Scrawlr does not submit forms.
-----Original Message-----
From: Zinho [mailto:zinho@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, June 24, 2008 5:04 PM
To: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
I have to agree with Michael. I tested it on both simple ASP and PHP
pages with a clear sql injection. Nothing. The tool doesn't even seem to
check for blind sqli.
I think it merely gets the server's response and looks for known SQL
errors. Not mentioning the limited crawling capabilities.
I would have expected something more from HP/MS. Free tools around do a
much better job.
http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-tool.html
----
Armando Romeo
Webmaster and Founder
Hackers Center
Internet Security Portal
www.hackerscenter.com
Michael S. Menefee ha scritto:
> Billy,
>
> Although this is indeed a good step, there are already a plethora of
> "free" sql injection scanners or exploiters that kick the crap out of
> this tool.
>
> However, I am extremely excited to see this kind of development in the
> commercial space, and would like to see some enhancements to this
> product. Now, if HPs goal is to push their commercial tools ($$$) by
> pushing a limited "free" version, then I suppose none of this will ever
> happen, but *at a minimum* it would be nice to be able to either modify
> headers or input credentials where public sites are not the target.
>
> I tested this on 3 sites I knew to be vulnerable to SQL injection (all
> ASP.NET, MSSQL), but either cookies or authentication were required to
> actually test in these case, hence nothing was discovered with this
> tool(lame).
>
> There's nothing worse than a free version of a product designed
> exclusively for you to be left "wanting" and thinking about purchasing
> the commercial version.
>
> If there are unseen or hidden options to this tool, forgive me,
> otherwise I don't really see the value when so many better free tools
> exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Hoffman, Billy [mailto:billy.hoffman@xxxxxx]
> Sent: Tuesday, June 24, 2008 5:35 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>
> In response to all the Mass SQL Injection attacks this year, Microsoft
> approached HP and the Web Security Research Group (formerly SPI Labs)
> for assistance. While there was nothing they could patch, Microsoft
> wanted to provide tools to help developers find and fix these issues.
> After a month of development HP created Scrawlr.
>
> Scrawlr (short for SQL Injector and Crawler) is a free tool that will
> crawl a website while simultaneously analyzing the parameters of each
> individual web page for SQL Injection vulnerabilities. Scrawlr was
> designed specifically to help protect against these mass injection
> attack which are using Google queries to find older web applications and
> automatically injection them. As such, Scrawlr crawls a websites using
> the same techniques as a search engine: it doesn't keep state, or submit
> forms, or execute JavaScript or Flash. This Scrawl is finding and
> auditing the pages that would have been indexed by the search engines.
>
> To reduce false positives Scrawlr provides proof of the vulnerability
> results by displaying the type of backend database in use and a list of
> available table names. There is no denying you have SQL Injection when I
> can show you table names!
>
> Microsoft Announcement here:
> http://www.microsoft.com/technet/security/advisory/954462.mspx
> HP WSRG Blog:
> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
> 8/06/23/finding-sql-injection-with-scrawlr.aspx
> Download here: https://download.spidynamics.com/Products/scrawlr/
>
> Enjoy,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct: 770-343-7069
>
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|