[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- From: "Chris Eng" <ceng@xxxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- Date: Wed, 25 Jun 2008 12:22:00 -0400
My thoughts here:
http://www.veracode.com/blog/?p=112
> -----Original Message-----
> From: Hoffman, Billy [mailto:billy.hoffman@xxxxxx]
> Sent: Wednesday, June 25, 2008 10:26 AM
> To: Sven Vetsch / Disenchant
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector
> and Crawler
>
> We tried to express these limitations in multiple places both
> internal and external of the tool. I notice the MS advisory
> is incorrect (says we audit cookies) and I'll get that fixed.
>
> So, yes, certainly there is a risk, but I believe it is
> outweighted by the reach. How many of us encounter developers
> even in 2008 who still do not "get" application security and
> are not testing, etc? MS and its advisory system are a pretty
> big stage to reach these uninformed devs and raise
> application security awareness (and admittingly pimp our products).
>
> Take care,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct: 770-343-7069
>
>
> -----Original Message-----
> From: Sven Vetsch / Disenchant [mailto:sven.vetsch@xxxxxxxxxxxxx]
> Sent: Wednesday, June 25, 2008 4:44 AM
> To: Hoffman, Billy
> Cc: websecurity@xxxxxxxxxxxxx
> Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector
> and Crawler
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Why haven't HP and the Web Security Research Group not added
> this functionality to an already existing SQL Injection
> Scanner? I'm not sure about this but isn't there a big
> chance, that developers or even security people without
> deeper webappsec knowledge think, that Scrawlr can find all
> SQL Injections for them because behind it they'll find the
> names HP and Microsoft? If this becomes the case, we'll have
> much bigger problems than we actually have because as already
> mentioned by Billy, it's *not* a replacement for tools like
> Absinthe, etc. and so developers will not find any form based
> SQL Injections if they don't use other scanners too.
>
> Regards,
> Sven
>
>
> Hoffman, Billy wrote:
> |
>
> - --
>
> sent by Sven Vetsch / Disenchant
>
> http://disenchant.ch
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIYgVI8luv3I4ijh0RAkO5AJ0bhZ0gM6SBfy63AU9DVvKu5JZ7twCbB90F
> JNIw3vddrmo0HhedE89IxXU=
> =ko9c
> -----END PGP SIGNATURE-----
>
> --------------------------------------------------------------
> --------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Brought to you by http://www.webappsec.org
Search this site
|