[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- From: Oliver Lavery <oliver@xxxxxxxxxxxxxxxxxxx>
- Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- Date: Tue, 24 Jun 2008 21:24:22 -0700
--B_3297187463_17894713
Content-type: text/plain;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
I=B9d just like to add a positive voice to the chorus. I haven=B9t looked at
Scrawlr yet, and most likely won=B9t, but the initiative is quite interesting
coming from major software firms.
Small, sharp, targeted solutions do have a very important place in
preventing mass exploitation of vulnerabilities, and given that HTTP
applications are a very weak link in the chain (of tubes), it=B9s nice to see
vendors actively confronting the issue. A little surprising, but nice.
Based on the description on this list, it sounds like the advisory might be
trumpeting a little loudly:
=B3[HP Scrawlr will] Test all discovered links for verbose SQL injection by
sending HTTP requests containing SQL injection attack strings in form
fields, querystring parameters, and cookie values.=B2
But throwing a hat into the arena, publishing an advisory, releasing severa=
l
free tools, and offering free support for users impacted by an issue that=B9s
not provably entirely the vendor=B9s fault is certainly a welcome change from
=B3if every developer always followed our guidelines to the letter this would
be a non-issue=B2.
Cheers,
~ol
---
Oliver Lavery
Security Compass
http://www.securitycompass.com/
=B3Security is mostly a superstition. It does not exist in nature.... Life is
either a daring adventure or nothing.=B2
-- Helen Keller
On 24/06/08 7:34 PM, "Hoffman, Billy" <billy.hoffman@hp.com> wrote:
> Michael, Zinho,
>=20
> I'm not sure why people seem to think Scrawlr is a replacement for existi=
ng
> tools like Absinthe or Nikto or Burp, etc. Its not and I'm sorry if you g=
ot
> that impression.
>=20
> Scrawlr exists for one reason: Some crazy hackers who read Chinese built =
this:
> http://isc.sans.org/diary.html?storyid=3D4294
>=20
> Microsoft came to us for that specific need. To help them provide develop=
ers
> with tools to prevent these mass exploits. Because the attack tool levera=
ges
> search engines to find target pages Scrawlr crawls and behaves like an
> indexing spider. It then SQL injection all query parameters exactly like =
the
> attack tool. We then extract all the user tables (be it Oracle, MSSQL, My=
sql
> >=3D5, etc) to confirm SQL injection before flagging it. I'm very happy wit=
h our
> results.
>=20
> Is the tool going to find issues behind auth or forms or other web compon=
ents?
> No, but neither will the attackers using this mass exploit tool. Can they
> change tactics and use, for example, Nikto or Burp? Sure.
>=20
> Could we have released Scrawlr as more of a WI Lite? Yes, but that was ne=
ver
> its intent. And if you need something that's more robust by all means gra=
b a
> free trial of WI or another vendor, or Burp, or Nikto or script some w3af=
.
>=20
> Zinho, if you are finding bugs I'd love to learn more about them and get =
them
> fixed. Scrawlr supports proxies so that will help you see what is going o=
n.
> Did the vuln page get crawled?
>=20
> At the end of the day it's a free tool folks designed to solve a certain
> issue. I'm certainly open to more feedback but let's keep its original go=
als
> in perspective.
>=20
> Thanks,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct: 770-343-7069
>=20
>=20
> -----Original Message-----
> From: Zinho [mailto:zinho@hackerscenter.com]
> Sent: Tuesday, June 24, 2008 8:04 PM
> To: websecurity@webappsec.org
> Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>=20
> I have to agree with Michael. I tested it on both simple ASP and PHP
> pages with a clear sql injection. Nothing. The tool doesn't even seem to
> check for blind sqli.
> I think it merely gets the server's response and looks for known SQL
> errors. Not mentioning the limited crawling capabilities.
> I would have expected something more from HP/MS. Free tools around do a
> much better job.
>=20
> http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-ne=
w-SQL
> -Injection-tool.html
>=20
>=20
> ----
> Armando Romeo
>=20
> Webmaster and Founder
>=20
> Hackers Center
> Internet Security Portal
> www.hackerscenter.com
>=20
>=20
>=20
> Michael S. Menefee ha scritto:
>> > Billy,
>> >
>> > Although this is indeed a good step, there are already a plethora of
>> > "free" sql injection scanners or exploiters that kick the crap out of
>> > this tool.
>> >
>> > However, I am extremely excited to see this kind of development in the
>> > commercial space, and would like to see some enhancements to this
>> > product. Now, if HPs goal is to push their commercial tools ($$$) by
>> > pushing a limited "free" version, then I suppose none of this will eve=
r
>> > happen, but *at a minimum* it would be nice to be able to either modif=
y
>> > headers or input credentials where public sites are not the target.
>> >
>> > I tested this on 3 sites I knew to be vulnerable to SQL injection (all
>> > ASP.NET, MSSQL), but either cookies or authentication were required to
>> > actually test in these case, hence nothing was discovered with this
>> > tool(lame).
>> >
>> > There's nothing worse than a free version of a product designed
>> > exclusively for you to be left "wanting" and thinking about purchasing
>> > the commercial version.
>> >
>> > If there are unseen or hidden options to this tool, forgive me,
>> > otherwise I don't really see the value when so many better free tools
>> > exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Hoffman, Billy [mailto:billy.hoffman@hp.com]
>> > Sent: Tuesday, June 24, 2008 5:35 PM
>> > To: websecurity@webappsec.org
>> > Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>> >
>> > In response to all the Mass SQL Injection attacks this year, Microsoft
>> > approached HP and the Web Security Research Group (formerly SPI Labs)
>> > for assistance. While there was nothing they could patch, Microsoft
>> > wanted to provide tools to help developers find and fix these issues.
>> > After a month of development HP created Scrawlr.
>> >
>> > Scrawlr (short for SQL Injector and Crawler) is a free tool that will
>> > crawl a website while simultaneously analyzing the parameters of each
>> > individual web page for SQL Injection vulnerabilities. Scrawlr was
>> > designed specifically to help protect against these mass injection
>> > attack which are using Google queries to find older web applications a=
nd
>> > automatically injection them. As such, Scrawlr crawls a websites usin=
g
>> > the same techniques as a search engine: it doesn't keep state, or subm=
it
>> > forms, or execute JavaScript or Flash. This Scrawl is finding and
>> > auditing the pages that would have been indexed by the search engines.
>> >
>> > To reduce false positives Scrawlr provides proof of the vulnerability
>> > results by displaying the type of backend database in use and a list o=
f
>> > available table names. There is no denying you have SQL Injection when=
I
>> > can show you table names!
>> >
>> > Microsoft Announcement here:
>> > http://www.microsoft.com/technet/security/advisory/954462.mspx
>> > HP WSRG Blog:
>> > http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2=
00
>> > 8/06/23/finding-sql-injection-with-scrawlr.aspx
>> > Download here: https://download.spidynamics.com/Products/scrawlr/
>> >
>> > Enjoy,
>> > Billy Hoffman
>> > --
>> > Manager, HP Web Security Research Group
>> > HP Software - Application Security Center
>> > Direct: 770-343-7069
>> >
>> >
>> > ----------------------------------------------------------------------=
--
>> > ----
>> > Join us on IRC: irc.freenode.net #webappsec
>> >
>> > Have a question? Search The Web Security Mailing List Archives:
>> > http://www.webappsec.org/lists/websecurity/archive/
>> >
>> > Subscribe via RSS:
>> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>> >
>> > Join WASC on LinkedIn
>> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> >
>> >
>> >
>> >=20
>> ------------------------------------------------------------------------=
----
>> > Join us on IRC: irc.freenode.net #webappsec
>> >
>> > Have a question? Search The Web Security Mailing List Archives:
>> > http://www.webappsec.org/lists/websecurity/archive/
>> >
>> > Subscribe via RSS:
>> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>> >
>> > Join WASC on LinkedIn
>> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> >
>> >
>> >
>=20
>=20
>=20
> -------------------------------------------------------------------------=
---
> Join us on IRC: irc.freenode.net #webappsec
>=20
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>=20
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>=20
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>=20
>=20
> -------------------------------------------------------------------------=
---
> Join us on IRC: irc.freenode.net #webappsec
>=20
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>=20
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>=20
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>=20
>=20
--B_3297187463_17894713
Content-type: text/html;
charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
<HTML>
<HEAD>
<TITLE>Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler</TIT=
LE>
</HEAD>
<BODY>
<FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><SPAN STYLE=3D'font-size:11pt=
'>I’d just like to add a positive voice to the chorus. I haven’t=
looked at Scrawlr yet, and most likely won’t, but the initiative is q=
uite interesting coming from major software firms.<BR>
<BR>
Small, sharp, targeted solutions do have a very important place in preventi=
ng mass exploitation of vulnerabilities, and given that HTTP applications ar=
e a very weak link in the chain (of tubes), it’s nice to see vendors a=
ctively confronting the issue. A little surprising, but nice.<BR>
<BR>
Based on the description on this list, it sounds like the advisory might be=
trumpeting a little loudly:<BR>
<BR>
“[HP Scrawlr will] Test all discovered links for verbose SQL injectio=
n by sending HTTP requests containing SQL injection attack strings in form f=
ields, querystring parameters, and cookie values.”<BR>
<BR>
But throwing a hat into the arena, publishing an advisory, releasing severa=
l free tools, and offering free support for users impacted by an issue that&=
#8217;s not provably <B>entirely</B> the vendor’s fault is certainly a=
welcome change from “if every developer always followed our guideline=
s to the letter this would be a non-issue”.<BR>
<BR>
Cheers,<BR>
~ol<BR>
---<BR>
Oliver Lavery<BR>
Security Compass<BR>
<a href=3D"http://www.securitycompass.com/";>http://www.securitycompass.com/</=
a><BR>
<BR>
“Security is mostly a superstition. It does not exist in nature.... L=
ife is either a daring adventure or nothing.”<BR>
-- Helen Keller<BR>
<BR>
<BR>
On 24/06/08 7:34 PM, "Hoffman, Billy" <<a href=3D"billy.hoffman@=
hp.com">billy.hoffman@hp.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE=3D"Calibri, Verdana, Helvetica, Arial"><=
SPAN STYLE=3D'font-size:11pt'>Michael, Zinho,<BR>
<BR>
I'm not sure why people seem to think Scrawlr is a replacement for existing=
tools like Absinthe or Nikto or Burp, etc. Its not and I'm sorry if you got=
that impression.<BR>
<BR>
Scrawlr exists for one reason: Some crazy hackers who read Chinese built th=
is:<BR>
<a href=3D"http://isc.sans.org/diary.html?storyid=3D4294";>http://isc.sans.org/d=
iary.html?storyid=3D4294</a><BR>
<BR>
Microsoft came to us for that specific need. To help them provide developer=
s with tools to prevent these mass exploits. Because the attack tool leverag=
es search engines to find target pages Scrawlr crawls and behaves like an in=
dexing spider. It then SQL injection all query parameters exactly like the a=
ttack tool. We then extract all the user tables (be it Oracle, MSSQL, Mysql =
>=3D5, etc) to confirm SQL injection before flagging it. I'm very happy wit=
h our results.<BR>
<BR>
Is the tool going to find issues behind auth or forms or other web componen=
ts? No, but neither will the attackers using this mass exploit tool. Can the=
y change tactics and use, for example, Nikto or Burp? Sure.<BR>
<BR>
Could we have released Scrawlr as more of a WI Lite? Yes, but that was neve=
r its intent. And if you need something that's more robust by all means grab=
a free trial of WI or another vendor, or Burp, or Nikto or script some w3af=
.<BR>
<BR>
Zinho, if you are finding bugs I'd love to learn more about them and get th=
em fixed. Scrawlr supports proxies so that will help you see what is going o=
n. Did the vuln page get crawled?<BR>
<BR>
At the end of the day it's a free tool folks designed to solve a certain is=
sue. I'm certainly open to more feedback but let's keep its original goals i=
n perspective.<BR>
<BR>
Thanks,<BR>
Billy Hoffman<BR>
--<BR>
Manager, HP Web Security Research Group<BR>
HP Software - Application Security Center<BR>
Direct: 770-343-7069<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Zinho [<a href=3D"mailto:zinho@hackerscenter.com";>mailto:zinho@hackersc=
enter.com</a>]<BR>
Sent: Tuesday, June 24, 2008 8:04 PM<BR>
To: <a href=3D"websecurity@webappsec.org">websecurity@webappsec.org</a><BR>
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler<BR=
>
<BR>
I have to agree with Michael. I tested it on both simple ASP and PHP<=
BR>
pages with a clear sql injection. Nothing. The tool doesn't even seem to<BR=
>
check for blind sqli.<BR>
I think it merely gets the server's response and looks for known SQL<BR>
errors. Not mentioning the limited crawling capabilities.<BR>
I would have expected something more from HP/MS. Free tools around do a<BR>
much better job.<BR>
<BR>
<a href=3D"http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-=
us-a-new-SQL-Injection-tool.html">http://www.hackerscenter.com/index.php?/Bl=
ogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-tool.html</a><BR>
<BR>
<BR>
----<BR>
Armando Romeo<BR>
<BR>
Webmaster and Founder<BR>
<BR>
Hackers Center<BR>
Internet Security Portal<BR>
www.hackerscenter.com<BR>
<BR>
<BR>
<BR>
Michael S. Menefee ha scritto:<BR>
> Billy,<BR>
><BR>
> Although this is indeed a good step, there are already a plethora of<B=
R>
> "free" sql injection scanners or exploiters that kick the cr=
ap out of<BR>
> this tool.<BR>
><BR>
> However, I am extremely excited to see this kind of development in the=
<BR>
> commercial space, and would like to see some enhancements to this<BR>
> product. Now, if HPs goal is to push their commercial tools ($$$) by<B=
R>
> pushing a limited "free" version, then I suppose none of thi=
s will ever<BR>
> happen, but *at a minimum* it would be nice to be able to either modif=
y<BR>
> headers or input credentials where public sites are not the target.<BR=
>
><BR>
> I tested this on 3 sites I knew to be vulnerable to SQL injection (all=
<BR>
> ASP.NET, MSSQL), but either cookies or authentication were required to=
<BR>
> actually test in these case, hence nothing was discovered with this<BR=
>
> tool(lame).<BR>
><BR>
> There's nothing worse than a free version of a product designed<BR>
> exclusively for you to be left "wanting" and thinking about =
purchasing<BR>
> the commercial version.<BR>
><BR>
> If there are unseen or hidden options to this tool, forgive me,<BR>
> otherwise I don't really see the value when so many better free tools<=
BR>
> exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)<BR>
><BR>
><BR>
><BR>
><BR>
><BR>
><BR>
><BR>
><BR>
> -----Original Message-----<BR>
> From: Hoffman, Billy [<a href=3D"mailto:billy.hoffman@hp.com";>mailto:bil=
ly.hoffman@hp.com</a>]<BR>
> Sent: Tuesday, June 24, 2008 5:35 PM<BR>
> To: <a href=3D"websecurity@webappsec.org">websecurity@webappsec.org</a><=
BR>
> Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler<B=
R>
><BR>
> In response to all the Mass SQL Injection attacks this year, Microsoft=
<BR>
> approached HP and the Web Security Research Group (formerly SPI Labs)<=
BR>
> for assistance. While there was nothing they could patch, Microsoft<BR=
>
> wanted to provide tools to help developers find and fix these issues.<=
BR>
> After a month of development HP created Scrawlr.<BR>
><BR>
> Scrawlr (short for SQL Injector and Crawler) is a free tool that will<=
BR>
> crawl a website while simultaneously analyzing the parameters of each<=
BR>
> individual web page for SQL Injection vulnerabilities. Scrawlr was<BR>
> designed specifically to help protect against these mass injection<BR>
> attack which are using Google queries to find older web applications a=
nd<BR>
> automatically injection them. As such, Scrawlr crawls a websites=
using<BR>
> the same techniques as a search engine: it doesn't keep state, or subm=
it<BR>
> forms, or execute JavaScript or Flash. This Scrawl is finding and<BR>
> auditing the pages that would have been indexed by the search engines.=
<BR>
><BR>
> To reduce false positives Scrawlr provides proof of the vulnerability<=
BR>
> results by displaying the type of backend database in use and a list o=
f<BR>
> available table names. There is no denying you have SQL Injection when=
I<BR>
> can show you table names!<BR>
><BR>
> Microsoft Announcement here:<BR>
> <a href=3D"http://www.microsoft.com/technet/security/advisory/954462.msp=
x">http://www.microsoft.com/technet/security/advisory/954462.mspx</a><BR>
> HP WSRG Blog:<BR>
> <a href=3D"http://www.communities.hp.com/securitysoftware/blogs/spilabs/=
archive/200">http://www.communities.hp.com/securitysoftware/blogs/spilabs/ar=
chive/200</a><BR>
> 8/06/23/finding-sql-injection-with-scrawlr.aspx<BR>
> Download here: <a href=3D"https://download.spidynamics.com/Products/scra=
wlr/">https://download.spidynamics.com/Products/scrawlr/</a><BR>
><BR>
> Enjoy,<BR>
> Billy Hoffman<BR>
> --<BR>
> Manager, HP Web Security Research Group<BR>
> HP Software - Application Security Center<BR>
> Direct: 770-343-7069<BR>
><BR>
><BR>
> ----------------------------------------------------------------------=
--<BR>
> ----<BR>
> Join us on IRC: irc.freenode.net #webappsec<BR>
><BR>
> Have a question? Search The Web Security Mailing List Archives:<BR>
> <a href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://w=
ww.webappsec.org/lists/websecurity/archive/</a><BR>
><BR>
> Subscribe via RSS:<BR>
> <a href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.weba=
ppsec.org/rss/websecurity.rss</a> [RSS Feed]<BR>
><BR>
> Join WASC on LinkedIn<BR>
> <a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.=
linkedin.com/e/gis/83336/4B20E4374DBA</a><BR>
><BR>
><BR>
><BR>
> ----------------------------------------------------------------------=
------<BR>
> Join us on IRC: irc.freenode.net #webappsec<BR>
><BR>
> Have a question? Search The Web Security Mailing List Archives:<BR>
> <a href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://w=
ww.webappsec.org/lists/websecurity/archive/</a><BR>
><BR>
> Subscribe via RSS:<BR>
> <a href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.weba=
ppsec.org/rss/websecurity.rss</a> [RSS Feed]<BR>
><BR>
> Join WASC on LinkedIn<BR>
> <a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.=
linkedin.com/e/gis/83336/4B20E4374DBA</a><BR>
><BR>
><BR>
><BR>
<BR>
<BR>
<BR>
---------------------------------------------------------------------------=
-<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<a href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.we=
bappsec.org/lists/websecurity/archive/</a><BR>
<BR>
Subscribe via RSS:<BR>
<a href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec=
.org/rss/websecurity.rss</a> [RSS Feed]<BR>
<BR>
Join WASC on LinkedIn<BR>
<a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.linke=
din.com/e/gis/83336/4B20E4374DBA</a><BR>
<BR>
<BR>
---------------------------------------------------------------------------=
-<BR>
Join us on IRC: irc.freenode.net #webappsec<BR>
<BR>
Have a question? Search The Web Security Mailing List Archives:<BR>
<a href=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.we=
bappsec.org/lists/websecurity/archive/</a><BR>
<BR>
Subscribe via RSS:<BR>
<a href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec=
.org/rss/websecurity.rss</a> [RSS Feed]<BR>
<BR>
Join WASC on LinkedIn<BR>
<a href=3D"http://www.linkedin.com/e/gis/83336/4B20E4374DBA";>http://www.linke=
din.com/e/gis/83336/4B20E4374DBA</a><BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>
--B_3297187463_17894713--
Brought to you by http://www.webappsec.org
Search this site
|