I’d just like to add a positive voice to the chorus. I haven’t looked
at Scrawlr yet, and most likely won’t, but the initiative is quite
interesting coming from major software firms.
Small, sharp, targeted solutions do have a very important place in
preventing mass exploitation of vulnerabilities, and given that HTTP
applications are a very weak link in the chain (of tubes), it’s nice
to see vendors actively confronting the issue. A little surprising,
but nice.
Based on the description on this list, it sounds like the advisory
might be trumpeting a little loudly:
“[HP Scrawlr will] Test all discovered links for verbose SQL injection
by sending HTTP requests containing SQL injection attack strings in
form fields, querystring parameters, and cookie values.”
But throwing a hat into the arena, publishing an advisory, releasing
several free tools, and offering free support for users impacted by an
issue that’s not provably *entirely* the vendor’s fault is certainly a
welcome change from “if every developer always followed our guidelines
to the letter this would be a non-issue”.
Cheers,
~ol
---
Oliver Lavery
Security Compass
http://www.securitycompass.com/
“Security is mostly a superstition. It does not exist in nature....
Life is either a daring adventure or nothing.”
-- Helen Keller
On 24/06/08 7:34 PM, "Hoffman, Billy" <billy.hoffman@xxxxxx> wrote:
Michael, Zinho,
I'm not sure why people seem to think Scrawlr is a replacement for
existing tools like Absinthe or Nikto or Burp, etc. Its not and
I'm sorry if you got that impression.
Scrawlr exists for one reason: Some crazy hackers who read Chinese
built this:
http://isc.sans.org/diary.html?storyid=4294
Microsoft came to us for that specific need. To help them provide
developers with tools to prevent these mass exploits. Because the
attack tool leverages search engines to find target pages Scrawlr
crawls and behaves like an indexing spider. It then SQL injection
all query parameters exactly like the attack tool. We then extract
all the user tables (be it Oracle, MSSQL, Mysql >=5, etc) to
confirm SQL injection before flagging it. I'm very happy with our
results.
Is the tool going to find issues behind auth or forms or other web
components? No, but neither will the attackers using this mass
exploit tool. Can they change tactics and use, for example, Nikto
or Burp? Sure.
Could we have released Scrawlr as more of a WI Lite? Yes, but that
was never its intent. And if you need something that's more robust
by all means grab a free trial of WI or another vendor, or Burp,
or Nikto or script some w3af.
Zinho, if you are finding bugs I'd love to learn more about them
and get them fixed. Scrawlr supports proxies so that will help you
see what is going on. Did the vuln page get crawled?
At the end of the day it's a free tool folks designed to solve a
certain issue. I'm certainly open to more feedback but let's keep
its original goals in perspective.
Thanks,
Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct: 770-343-7069
-----Original Message-----
From: Zinho [mailto:zinho@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, June 24, 2008 8:04 PM
To: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and
Crawler
I have to agree with Michael. I tested it on both simple ASP and PHP
pages with a clear sql injection. Nothing. The tool doesn't even
seem to
check for blind sqli.
I think it merely gets the server's response and looks for known SQL
errors. Not mentioning the limited crawling capabilities.
I would have expected something more from HP/MS. Free tools around
do a
much better job.
http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-tool.html
----
Armando Romeo
Webmaster and Founder
Hackers Center
Internet Security Portal
www.hackerscenter.com
Michael S. Menefee ha scritto:
> Billy,
>
> Although this is indeed a good step, there are already a plethora of
> "free" sql injection scanners or exploiters that kick the crap out of
> this tool.
>
> However, I am extremely excited to see this kind of development
in the
> commercial space, and would like to see some enhancements to this
> product. Now, if HPs goal is to push their commercial tools ($$$) by
> pushing a limited "free" version, then I suppose none of this
will ever
> happen, but *at a minimum* it would be nice to be able to either
modify
> headers or input credentials where public sites are not the target.
>
> I tested this on 3 sites I knew to be vulnerable to SQL injection
(all
> ASP.NET, MSSQL), but either cookies or authentication were
required to
> actually test in these case, hence nothing was discovered with this
> tool(lame).
>
> There's nothing worse than a free version of a product designed
> exclusively for you to be left "wanting" and thinking about
purchasing
> the commercial version.
>
> If there are unseen or hidden options to this tool, forgive me,
> otherwise I don't really see the value when so many better free tools
> exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Hoffman, Billy [mailto:billy.hoffman@xxxxxx]
> Sent: Tuesday, June 24, 2008 5:35 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
>
> In response to all the Mass SQL Injection attacks this year,
Microsoft
> approached HP and the Web Security Research Group (formerly SPI Labs)
> for assistance. While there was nothing they could patch, Microsoft
> wanted to provide tools to help developers find and fix these issues.
> After a month of development HP created Scrawlr.
>
> Scrawlr (short for SQL Injector and Crawler) is a free tool that will
> crawl a website while simultaneously analyzing the parameters of each
> individual web page for SQL Injection vulnerabilities. Scrawlr was
> designed specifically to help protect against these mass injection
> attack which are using Google queries to find older web
applications and
> automatically injection them. As such, Scrawlr crawls a websites
using
> the same techniques as a search engine: it doesn't keep state, or
submit
> forms, or execute JavaScript or Flash. This Scrawl is finding and
> auditing the pages that would have been indexed by the search
engines.
>
> To reduce false positives Scrawlr provides proof of the vulnerability
> results by displaying the type of backend database in use and a
list of
> available table names. There is no denying you have SQL Injection
when I
> can show you table names!
>
> Microsoft Announcement here:
> http://www.microsoft.com/technet/security/advisory/954462.mspx
> HP WSRG Blog:
> http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
> 8/06/23/finding-sql-injection-with-scrawlr.aspx
> Download here: https://download.spidynamics.com/Products/scrawlr/
>
> Enjoy,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct: 770-343-7069
>
>
> ------------------------------------------------------------------------
> ----
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA