[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

From: "Hoffman, Billy" <billy.hoffman@xxxxxx>
Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Date: Wed, 25 Jun 2008 14:26:25 +0000

We tried to express these limitations in multiple places both internal and external of the tool. I notice the MS advisory is incorrect (says we audit cookies) and I'll get that fixed.

So, yes, certainly there is a risk, but I believe it is outweighted by the reach. How many of us encounter developers even in 2008 who still do not "get" application security and are not testing, etc? MS and its advisory system are a pretty big stage to reach these uninformed devs and raise application security awareness (and admittingly pimp our products).

Take care,
Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069


-----Original Message-----
From: Sven Vetsch / Disenchant [mailto:sven.vetsch@xxxxxxxxxxxxx]
Sent: Wednesday, June 25, 2008 4:44 AM
To: Hoffman, Billy
Cc: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Why haven't HP and the Web Security Research Group not added this
functionality to an already existing SQL Injection Scanner? I'm not sure
about this but isn't there a big chance, that developers or even
security people without deeper webappsec knowledge think, that Scrawlr
can find all SQL Injections for them because behind it they'll find the
names HP and Microsoft? If this becomes the case, we'll have much bigger
problems than we actually have because as already mentioned by Billy,
it's *not* a replacement for tools like Absinthe, etc. and so developers
will not find any form based SQL Injections if they don't use other
scanners too.

Regards,
Sven


Hoffman, Billy wrote:
|

- --

sent by Sven Vetsch / Disenchant

http://disenchant.ch

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIYgVI8luv3I4ijh0RAkO5AJ0bhZ0gM6SBfy63AU9DVvKu5JZ7twCbB90F
JNIw3vddrmo0HhedE89IxXU=
=ko9c
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Chris Eng

References:
- [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Hoffman, Billy
- Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Sven Vetsch / Disenchant

Prev by Date: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Next by Date: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Previous by thread: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Next by thread: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site