[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- From: Mark Roxberry <mroxberr@xxxxxxx>
- Subject: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
- Date: Wed, 25 Jun 2008 14:12:32 -0400
--_dd32b1fa-f48c-4084-b9fc-ddfc9741a210_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
=20
Zinho,
=20
Scrawlr is one of 3 tools recommended in the MS advisory for SQL Injection =
vulnerabilities (Source Code Analyzer is one also):
=20
Microsoft Security Advisory 954462 (http://www.microsoft.com/technet/securi=
ty/advisory/954462.mspx) =20
=20
Microsoft / HP / Spilabs response to recent mass SQL injection attacks. Th=
e advisory contains information resources and links for 3 tools:
Scrawlr, a site crawler that looks for SQL Injection vulnerabilities (free,=
lightweight)
URLScan 3.0 Beta, filters potentially dangerous urls
Microsoft Source Code Analyzer, looks for SQL injection code smells in sour=
ce code
For a great analysis of what has happened with the mass SQL injection attac=
ks, read this post (worth the time):
http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-inject=
ion-incident-part-2-meat.aspx
Regards,
=20
Mark Roxberry
> Date: Wed, 25 Jun 2008 10:03:58 +0200> From: zinho@hackerscenter.com> To:=
websecurity@webappsec.org> Subject: Re: [WEB SECURITY] Announcing Scrawlr:=
SQL Injector and Crawler> > This is probably the best option for an ASP we=
bsite owner> Microsoft Source Code Analyzer for SQL Injection tool is avail=
able to > find SQL injection vulnerabilities in ASP code> http://support.mi=
crosoft.com/kb/954476> > It should be able to check all kind of sqlinjectio=
ns (at least > theoretically) not only those used by the recent botnets.> >=
It points you to the faulty code. Some average level of ASP coding will > =
be then required to fix it but from the advisory I read:> > "In addition to=
the tool itself, there is documentation included on ways > to fix the prob=
lems it finds in the code it analyzes"> > So this should be very helpful.> =
I haven't tested it personally but a drawback here could be that it > doesn=
't demonstrate the existence of the sqli showing tables names. And > Billy =
is right, this is a greatly incentivising to go fix that bugs.> > ----> Zin=
ho> > Webmaster and Founder > > Hackers Center > Internet Security Portal> =
www.hackerscenter.com> > > > Oliver Lavery ha scritto:> > I=92d just like t=
o add a positive voice to the chorus. I haven=92t looked > > at Scrawlr yet=
, and most likely won=92t, but the initiative is quite > > interesting comi=
ng from major software firms.> >> > Small, sharp, targeted solutions do hav=
e a very important place in > > preventing mass exploitation of vulnerabili=
ties, and given that HTTP > > applications are a very weak link in the chai=
n (of tubes), it=92s nice > > to see vendors actively confronting the issue=
. A little surprising, > > but nice.> >> > Based on the description on this=
list, it sounds like the advisory > > might be trumpeting a little loudly:=
> >> > =93[HP Scrawlr will] Test all discovered links for verbose SQL injec=
tion > > by sending HTTP requests containing SQL injection attack strings i=
n > > form fields, querystring parameters, and cookie values.=94> >> > But =
throwing a hat into the arena, publishing an advisory, releasing > > severa=
l free tools, and offering free support for users impacted by an > > issue =
that=92s not provably *entirely* the vendor=92s fault is certainly a > > we=
lcome change from =93if every developer always followed our guidelines > > =
to the letter this would be a non-issue=94.> >> > Cheers,> > ~ol> > ---> > =
Oliver Lavery> > Security Compass> > http://www.securitycompass.com/> >> > =
=93Security is mostly a superstition. It does not exist in nature.... > > L=
ife is either a daring adventure or nothing.=94> > -- Helen Keller> >> >> >=
On 24/06/08 7:34 PM, "Hoffman, Billy" <billy.hoffman@hp.com> wrote:> >> > =
Michael, Zinho,> >> > I'm not sure why people seem to think Scrawlr is a re=
placement for> > existing tools like Absinthe or Nikto or Burp, etc. Its no=
t and> > I'm sorry if you got that impression.> >> > Scrawlr exists for one=
reason: Some crazy hackers who read Chinese> > built this:> > http://isc.s=
ans.org/diary.html?storyid=3D4294> >> > Microsoft came to us for that speci=
fic need. To help them provide> > developers with tools to prevent these ma=
ss exploits. Because the> > attack tool leverages search engines to find ta=
rget pages Scrawlr> > crawls and behaves like an indexing spider. It then S=
QL injection> > all query parameters exactly like the attack tool. We then =
extract> > all the user tables (be it Oracle, MSSQL, Mysql >=3D5, etc) to> =
> confirm SQL injection before flagging it. I'm very happy with our> > resu=
lts.> >> > Is the tool going to find issues behind auth or forms or other w=
eb> > components? No, but neither will the attackers using this mass> > exp=
loit tool. Can they change tactics and use, for example, Nikto> > or Burp? =
Sure.> >> > Could we have released Scrawlr as more of a WI Lite? Yes, but t=
hat> > was never its intent. And if you need something that's more robust> =
> by all means grab a free trial of WI or another vendor, or Burp,> > or Ni=
kto or script some w3af.> >> > Zinho, if you are finding bugs I'd love to l=
earn more about them> > and get them fixed. Scrawlr supports proxies so tha=
t will help you> > see what is going on. Did the vuln page get crawled?> >>=
> At the end of the day it's a free tool folks designed to solve a> > cert=
ain issue. I'm certainly open to more feedback but let's keep> > its origin=
al goals in perspective.> >> > Thanks,> > Billy Hoffman> > --> > Manager, H=
P Web Security Research Group> > HP Software - Application Security Center>=
> Direct: 770-343-7069> >> >> > -----Original Message-----> > From: Zinho =
[mailto:zinho@hackerscenter.com]> > Sent: Tuesday, June 24, 2008 8:04 PM> >=
To: websecurity@webappsec.org> > Subject: Re: [WEB SECURITY] Announcing Sc=
rawlr: SQL Injector and> > Crawler> >> > I have to agree with Michael. I te=
sted it on both simple ASP and PHP> > pages with a clear sql injection. Not=
hing. The tool doesn't even> > seem to> > check for blind sqli.> > I think =
it merely gets the server's response and looks for known SQL> > errors. Not=
mentioning the limited crawling capabilities.> > I would have expected som=
ething more from HP/MS. Free tools around> > do a> > much better job.> >> >=
http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new=
-SQL-Injection-tool.html> >> >> > ----> > Armando Romeo> >> > Webmaster and=
Founder> >> > Hackers Center> > Internet Security Portal> > www.hackerscen=
ter.com> >> >> >> > Michael S. Menefee ha scritto:> > > Billy,> > >> > > Al=
though this is indeed a good step, there are already a plethora of> > > "fr=
ee" sql injection scanners or exploiters that kick the crap out of> > > thi=
s tool.> > >> > > However, I am extremely excited to see this kind of devel=
opment> > in the> > > commercial space, and would like to see some enhancem=
ents to this> > > product. Now, if HPs goal is to push their commercial too=
ls ($$$) by> > > pushing a limited "free" version, then I suppose none of t=
his> > will ever> > > happen, but *at a minimum* it would be nice to be abl=
e to either> > modify> > > headers or input credentials where public sites =
are not the target.> > >> > > I tested this on 3 sites I knew to be vulnera=
ble to SQL injection> > (all> > > ASP.NET, MSSQL), but either cookies or au=
thentication were> > required to> > > actually test in these case, hence no=
thing was discovered with this> > > tool(lame).> > >> > > There's nothing w=
orse than a free version of a product designed> > > exclusively for you to =
be left "wanting" and thinking about> > purchasing> > > the commercial vers=
ion.> > >> > > If there are unseen or hidden options to this tool, forgive =
me,> > > otherwise I don't really see the value when so many better free to=
ols> > > exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)> =
> >> > >> > >> > >> > >> > >> > >> > >> > > -----Original Message-----> > >=
From: Hoffman, Billy [mailto:billy.hoffman@hp.com]> > > Sent: Tuesday, Jun=
e 24, 2008 5:35 PM> > > To: websecurity@webappsec.org> > > Subject: [WEB SE=
CURITY] Announcing Scrawlr: SQL Injector and Crawler> > >> > > In response =
to all the Mass SQL Injection attacks this year,> > Microsoft> > > approach=
ed HP and the Web Security Research Group (formerly SPI Labs)> > > for assi=
stance. While there was nothing they could patch, Microsoft> > > wanted to =
provide tools to help developers find and fix these issues.> > > After a mo=
nth of development HP created Scrawlr.> > >> > > Scrawlr (short for SQL Inj=
ector and Crawler) is a free tool that will> > > crawl a website while simu=
ltaneously analyzing the parameters of each> > > individual web page for SQ=
L Injection vulnerabilities. Scrawlr was> > > designed specifically to help=
protect against these mass injection> > > attack which are using Google qu=
eries to find older web> > applications and> > > automatically injection th=
em. As such, Scrawlr crawls a websites> > using> > > the same techniques as=
a search engine: it doesn't keep state, or> > submit> > > forms, or execut=
e JavaScript or Flash. This Scrawl is finding and> > > auditing the pages t=
hat would have been indexed by the search> > engines.> > >> > > To reduce f=
alse positives Scrawlr provides proof of the vulnerability> > > results by =
displaying the type of backend database in use and a> > list of> > > availa=
ble table names. There is no denying you have SQL Injection> > when I> > > =
can show you table names!> > >> > > Microsoft Announcement here:> > > http:=
//www.microsoft.com/technet/security/advisory/954462.mspx> > > HP WSRG Blog=
:> > > http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive=
/200> > > 8/06/23/finding-sql-injection-with-scrawlr.aspx> > > Download her=
e: https://download.spidynamics.com/Products/scrawlr/> > >> > > Enjoy,> > >=
Billy Hoffman> > > --> > > Manager, HP Web Security Research Group> > > HP=
Software - Application Security Center> > > Direct: 770-343-7069> > >> > >=
> > > ---------------------------------------------------------------------=
---> > > ----> > > Join us on IRC: irc.freenode.net #webappsec> > >> > > Ha=
ve a question? Search The Web Security Mailing List Archives:> > > http://w=
ww.webappsec.org/lists/websecurity/archive/> > >> > > Subscribe via RSS:> >=
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]> > >> > > Join W=
ASC on LinkedIn> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA> > >>=
> >> > >> > > ------------------------------------------------------------=
----------------> > > Join us on IRC: irc.freenode.net #webappsec> > >> > >=
Have a question? Search The Web Security Mailing List Archives:> > > http:=
//www.webappsec.org/lists/websecurity/archive/> > >> > > Subscribe via RSS:=
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]> > >> > > Joi=
n WASC on LinkedIn> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA> >=
>> > >> > >> >> >> >> > --------------------------------------------------=
--------------------------> > Join us on IRC: irc.freenode.net #webappsec> =
>> > Have a question? Search The Web Security Mailing List Archives:> > htt=
p://www.webappsec.org/lists/websecurity/archive/> >> > Subscribe via RSS:> =
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]> >> > Join WASC o=
n LinkedIn> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA> >> >> > ---=
-------------------------------------------------------------------------> =
> Join us on IRC: irc.freenode.net #webappsec> >> > Have a question? Search=
The Web Security Mailing List Archives:> > http://www.webappsec.org/lists/=
websecurity/archive/> >> > Subscribe via RSS:> > http://www.webappsec.org/r=
ss/websecurity.rss [RSS Feed]> >> > Join WASC on LinkedIn> > http://www.lin=
kedin.com/e/gis/83336/4B20E4374DBA> >> >> > > -- > ----> Zinho> > Webmaster=
and Founder > > Hackers Center > Internet Security Portal> www.hackerscent=
er.com> > > ---------------------------------------------------------------=
-------------> Join us on IRC: irc.freenode.net #webappsec> > Have a questi=
on? Search The Web Security Mailing List Archives: > http://www.webappsec.o=
rg/lists/websecurity/archive/> > Subscribe via RSS: > http://www.webappsec.=
org/rss/websecurity.rss [RSS Feed]> > Join WASC on LinkedIn> http://www.lin=
kedin.com/e/gis/83336/4B20E4374DBA>=20
_________________________________________________________________
The other season of giving begins 6/24/08. Check out the i=92m Talkathon.
http://www.imtalkathon.com?source=3DTXT_EML_WLH_SeasonOfGiving=
--_dd32b1fa-f48c-4084-b9fc-ddfc9741a210_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class=3D'hmmessage'><DIV dir=3Dltr><FONT face=3DArial color=3D#000000=
size=3D2></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000>Zinho,</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000>Scrawlr is one of 3 tools=
recommended in the MS advisory for SQL Injection vulnerabilities (Source C=
ode Analyzer is one also):</FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000></FONT> </DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Microsoft Securi=
ty Advisory 954462 (<A href=3D"https://exchange.waveseeker.com/exchweb=
/bin/redir.asp?URL=3Dhttp://www.microsoft.com/technet/security/advisory/954=
462.mspx" target=3D_blank><U><FONT color=3D#0000ff>http://www.microsoft.com=
/technet/security/advisory/954462.mspx</FONT></U></A>) </FONT></DIV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2></FONT> </D=
IV>
<DIV dir=3Dltr><FONT face=3DArial color=3D#000000 size=3D2>Microsoft / HP /=
Spilabs response to recent mass SQL injection attacks. The advisory =
contains information resources and links for 3 tools:</FONT></DIV>
<DIV dir=3Dltr>
<UL dir=3Dltr>
<LI>
<DIV><FONT face=3DArial size=3D2>Scrawlr, a site crawler that looks for SQL=
Injection vulnerabilities (free, lightweight)</FONT></DIV>
<LI>
<DIV><FONT face=3DArial size=3D2>URLScan 3.0 Beta, filters potentially dang=
erous urls</FONT></DIV>
<LI>
<DIV><FONT face=3DArial size=3D2>Microsoft Source Code Analyzer, looks for =
SQL injection code smells in source code</FONT></DIV></LI></UL></DIV>
<FONT face=3DArial size=3D2>For a great analysis of what has happened with =
the mass SQL injection attacks, read this post (worth the time):</FONT><BR>
<FONT face=3DArial color=3D#0000ff size=3D2><A href=3D"https://exchange.wav=
eseeker.com/exchweb/bin/redir.asp?URL=3Dhttp://blogs.technet.com/neilcar/ar=
chive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx" targ=
et=3D_blank><U>http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-=
of-a-sql-injection-incident-part-2-meat.aspx</U></A></FONT><BR>
<BR>Regards,<BR>
<BR>
Mark Roxberry<BR><BR>
<HR id=3DstopSpelling>
<BR>
> Date: Wed, 25 Jun 2008 10:03:58 +0200<BR>> From: zinho@hackerscente=
r.com<BR>> To: websecurity@webappsec.org<BR>> Subject: Re: [WEB SECUR=
ITY] Announcing Scrawlr: SQL Injector and Crawler<BR>> <BR>> This is =
probably the best option for an ASP website owner<BR>> Microsoft Source =
Code Analyzer for SQL Injection tool is available to <BR>> find SQL inje=
ction vulnerabilities in ASP code<BR>> http://support.microsoft.com/kb/9=
54476<BR>> <BR>> It should be able to check all kind of sqlinjections=
(at least <BR>> theoretically) not only those used by the recent botnet=
s.<BR>> <BR>> It points you to the faulty code. Some average level of=
ASP coding will <BR>> be then required to fix it but from the advisory =
I read:<BR>> <BR>> "In addition to the tool itself, there is document=
ation included on ways <BR>> to fix the problems it finds in the code it=
analyzes"<BR>> <BR>> So this should be very helpful.<BR>> I haven=
't tested it personally but a drawback here could be that it <BR>> doesn=
't demonstrate the existence of the sqli showing tables names. And <BR>>=
Billy is right, this is a greatly incentivising to go fix that bugs.<BR>&g=
t; <BR>> ----<BR>> Zinho<BR>> <BR>> Webmaster and Founder <BR>&=
gt; <BR>> Hackers Center <BR>> Internet Security Portal<BR>> www.h=
ackerscenter.com<BR>> <BR>> <BR>> <BR>> Oliver Lavery ha scritt=
o:<BR>> > I=92d just like to add a positive voice to the chorus. I ha=
ven=92t looked <BR>> > at Scrawlr yet, and most likely won=92t, but t=
he initiative is quite <BR>> > interesting coming from major software=
firms.<BR>> ><BR>> > Small, sharp, targeted solutions do have =
a very important place in <BR>> > preventing mass exploitation of vul=
nerabilities, and given that HTTP <BR>> > applications are a very wea=
k link in the chain (of tubes), it=92s nice <BR>> > to see vendors ac=
tively confronting the issue. A little surprising, <BR>> > but nice.<=
BR>> ><BR>> > Based on the description on this list, it sounds =
like the advisory <BR>> > might be trumpeting a little loudly:<BR>>=
; ><BR>> > =93[HP Scrawlr will] Test all discovered links for verb=
ose SQL injection <BR>> > by sending HTTP requests containing SQL inj=
ection attack strings in <BR>> > form fields, querystring parameters,=
and cookie values.=94<BR>> ><BR>> > But throwing a hat into th=
e arena, publishing an advisory, releasing <BR>> > several free tools=
, and offering free support for users impacted by an <BR>> > issue th=
at=92s not provably *entirely* the vendor=92s fault is certainly a <BR>>=
> welcome change from =93if every developer always followed our guideli=
nes <BR>> > to the letter this would be a non-issue=94.<BR>> ><=
BR>> > Cheers,<BR>> > ~ol<BR>> > ---<BR>> > Oliver =
Lavery<BR>> > Security Compass<BR>> > http://www.securitycompas=
s.com/<BR>> ><BR>> > =93Security is mostly a superstition. It d=
oes not exist in nature.... <BR>> > Life is either a daring adventure=
or nothing.=94<BR>> > -- Helen Keller<BR>> ><BR>> ><BR>&=
gt; > On 24/06/08 7:34 PM, "Hoffman, Billy" <billy.hoffman@hp.com>=
wrote:<BR>> ><BR>> > Michael, Zinho,<BR>> ><BR>> >=
I'm not sure why people seem to think Scrawlr is a replacement for<BR>>=
> existing tools like Absinthe or Nikto or Burp, etc. Its not and<BR>&g=
t; > I'm sorry if you got that impression.<BR>> ><BR>> > Scr=
awlr exists for one reason: Some crazy hackers who read Chinese<BR>> >=
; built this:<BR>> > http://isc.sans.org/diary.html?storyid=3D4294<BR=
>> ><BR>> > Microsoft came to us for that specific need. To hel=
p them provide<BR>> > developers with tools to prevent these mass exp=
loits. Because the<BR>> > attack tool leverages search engines to fin=
d target pages Scrawlr<BR>> > crawls and behaves like an indexing spi=
der. It then SQL injection<BR>> > all query parameters exactly like t=
he attack tool. We then extract<BR>> > all the user tables (be it Ora=
cle, MSSQL, Mysql >=3D5, etc) to<BR>> > confirm SQL injection befo=
re flagging it. I'm very happy with our<BR>> > results.<BR>> ><=
BR>> > Is the tool going to find issues behind auth or forms or other=
web<BR>> > components? No, but neither will the attackers using this=
mass<BR>> > exploit tool. Can they change tactics and use, for examp=
le, Nikto<BR>> > or Burp? Sure.<BR>> ><BR>> > Could we ha=
ve released Scrawlr as more of a WI Lite? Yes, but that<BR>> > was ne=
ver its intent. And if you need something that's more robust<BR>> > b=
y all means grab a free trial of WI or another vendor, or Burp,<BR>> >=
; or Nikto or script some w3af.<BR>> ><BR>> > Zinho, if you are=
finding bugs I'd love to learn more about them<BR>> > and get them f=
ixed. Scrawlr supports proxies so that will help you<BR>> > see what =
is going on. Did the vuln page get crawled?<BR>> ><BR>> > At th=
e end of the day it's a free tool folks designed to solve a<BR>> > ce=
rtain issue. I'm certainly open to more feedback but let's keep<BR>> >=
; its original goals in perspective.<BR>> ><BR>> > Thanks,<BR>&=
gt; > Billy Hoffman<BR>> > --<BR>> > Manager, HP Web Securit=
y Research Group<BR>> > HP Software - Application Security Center<BR>=
> > Direct: 770-343-7069<BR>> ><BR>> ><BR>> > -----=
Original Message-----<BR>> > From: Zinho [mailto:zinho@hackerscenter.=
com]<BR>> > Sent: Tuesday, June 24, 2008 8:04 PM<BR>> > To: web=
security@webappsec.org<BR>> > Subject: Re: [WEB SECURITY] Announcing =
Scrawlr: SQL Injector and<BR>> > Crawler<BR>> ><BR>> > I =
have to agree with Michael. I tested it on both simple ASP and PHP<BR>> =
> pages with a clear sql injection. Nothing. The tool doesn't even<BR>&g=
t; > seem to<BR>> > check for blind sqli.<BR>> > I think it =
merely gets the server's response and looks for known SQL<BR>> > erro=
rs. Not mentioning the limited crawling capabilities.<BR>> > I would =
have expected something more from HP/MS. Free tools around<BR>> > do =
a<BR>> > much better job.<BR>> ><BR>> > http://www.hacker=
scenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-too=
l.html<BR>> ><BR>> ><BR>> > ----<BR>> > Armando Rom=
eo<BR>> ><BR>> > Webmaster and Founder<BR>> ><BR>> >=
; Hackers Center<BR>> > Internet Security Portal<BR>> > www.hac=
kerscenter.com<BR>> ><BR>> ><BR>> ><BR>> > Michael =
S. Menefee ha scritto:<BR>> > > Billy,<BR>> > ><BR>> &=
gt; > Although this is indeed a good step, there are already a plethora =
of<BR>> > > "free" sql injection scanners or exploiters that kick =
the crap out of<BR>> > > this tool.<BR>> > ><BR>> >=
> However, I am extremely excited to see this kind of development<BR>&g=
t; > in the<BR>> > > commercial space, and would like to see so=
me enhancements to this<BR>> > > product. Now, if HPs goal is to p=
ush their commercial tools ($$$) by<BR>> > > pushing a limited "fr=
ee" version, then I suppose none of this<BR>> > will ever<BR>> >=
; > happen, but *at a minimum* it would be nice to be able to either<BR>=
> > modify<BR>> > > headers or input credentials where publi=
c sites are not the target.<BR>> > ><BR>> > > I tested th=
is on 3 sites I knew to be vulnerable to SQL injection<BR>> > (all<BR=
>> > > ASP.NET, MSSQL), but either cookies or authentication were<=
BR>> > required to<BR>> > > actually test in these case, hen=
ce nothing was discovered with this<BR>> > > tool(lame).<BR>> &=
gt; ><BR>> > > There's nothing worse than a free version of a p=
roduct designed<BR>> > > exclusively for you to be left "wanting" =
and thinking about<BR>> > purchasing<BR>> > > the commercial=
version.<BR>> > ><BR>> > > If there are unseen or hidden=
options to this tool, forgive me,<BR>> > > otherwise I don't real=
ly see the value when so many better free tools<BR>> > > exist (Pa=
ngolin, Absinthe, Magic, Power Injector, etc, etc, etc)<BR>> > ><B=
R>> > ><BR>> > ><BR>> > ><BR>> > ><BR>&=
gt; > ><BR>> > ><BR>> > ><BR>> > > -----Or=
iginal Message-----<BR>> > > From: Hoffman, Billy [mailto:billy.ho=
ffman@hp.com]<BR>> > > Sent: Tuesday, June 24, 2008 5:35 PM<BR>>=
; > > To: websecurity@webappsec.org<BR>> > > Subject: [WEB S=
ECURITY] Announcing Scrawlr: SQL Injector and Crawler<BR>> > ><BR>=
> > > In response to all the Mass SQL Injection attacks this year,=
<BR>> > Microsoft<BR>> > > approached HP and the Web Securit=
y Research Group (formerly SPI Labs)<BR>> > > for assistance. Whil=
e there was nothing they could patch, Microsoft<BR>> > > wanted to=
provide tools to help developers find and fix these issues.<BR>> > &=
gt; After a month of development HP created Scrawlr.<BR>> > ><BR>&=
gt; > > Scrawlr (short for SQL Injector and Crawler) is a free tool t=
hat will<BR>> > > crawl a website while simultaneously analyzing t=
he parameters of each<BR>> > > individual web page for SQL Injecti=
on vulnerabilities. Scrawlr was<BR>> > > designed specifically to =
help protect against these mass injection<BR>> > > attack which ar=
e using Google queries to find older web<BR>> > applications and<BR>&=
gt; > > automatically injection them. As such, Scrawlr crawls a websi=
tes<BR>> > using<BR>> > > the same techniques as a search en=
gine: it doesn't keep state, or<BR>> > submit<BR>> > > forms=
, or execute JavaScript or Flash. This Scrawl is finding and<BR>> > &=
gt; auditing the pages that would have been indexed by the search<BR>> &=
gt; engines.<BR>> > ><BR>> > > To reduce false positives =
Scrawlr provides proof of the vulnerability<BR>> > > results by di=
splaying the type of backend database in use and a<BR>> > list of<BR>=
> > > available table names. There is no denying you have SQL Inje=
ction<BR>> > when I<BR>> > > can show you table names!<BR>&g=
t; > ><BR>> > > Microsoft Announcement here:<BR>> > &g=
t; http://www.microsoft.com/technet/security/advisory/954462.mspx<BR>> &=
gt; > HP WSRG Blog:<BR>> > > http://www.communities.hp.com/secu=
ritysoftware/blogs/spilabs/archive/200<BR>> > > 8/06/23/finding-sq=
l-injection-with-scrawlr.aspx<BR>> > > Download here: https://down=
load.spidynamics.com/Products/scrawlr/<BR>> > ><BR>> > > =
Enjoy,<BR>> > > Billy Hoffman<BR>> > > --<BR>> > &g=
t; Manager, HP Web Security Research Group<BR>> > > HP Software - =
Application Security Center<BR>> > > Direct: 770-343-7069<BR>> =
> ><BR>> > ><BR>> > > -----------------------------=
-------------------------------------------<BR>> > > ----<BR>> =
> > Join us on IRC: irc.freenode.net #webappsec<BR>> > ><BR>=
> > > Have a question? Search The Web Security Mailing List Archiv=
es:<BR>> > > http://www.webappsec.org/lists/websecurity/archive/<B=
R>> > ><BR>> > > Subscribe via RSS:<BR>> > > htt=
p://www.webappsec.org/rss/websecurity.rss [RSS Feed]<BR>> > ><BR>&=
gt; > > Join WASC on LinkedIn<BR>> > > http://www.linkedin.c=
om/e/gis/83336/4B20E4374DBA<BR>> > ><BR>> > ><BR>> >=
; ><BR>> > > --------------------------------------------------=
--------------------------<BR>> > > Join us on IRC: irc.freenode.n=
et #webappsec<BR>> > ><BR>> > > Have a question? Search T=
he Web Security Mailing List Archives:<BR>> > > http://www.webapps=
ec.org/lists/websecurity/archive/<BR>> > ><BR>> > > Subsc=
ribe via RSS:<BR>> > > http://www.webappsec.org/rss/websecurity.rs=
s [RSS Feed]<BR>> > ><BR>> > > Join WASC on LinkedIn<BR>&=
gt; > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA<BR>> >=
><BR>> > ><BR>> > ><BR>> ><BR>> ><BR>>=
><BR>> > --------------------------------------------------------=
--------------------<BR>> > Join us on IRC: irc.freenode.net #webapps=
ec<BR>> ><BR>> > Have a question? Search The Web Security Maili=
ng List Archives:<BR>> > http://www.webappsec.org/lists/websecurity/a=
rchive/<BR>> ><BR>> > Subscribe via RSS:<BR>> > http://ww=
w.webappsec.org/rss/websecurity.rss [RSS Feed]<BR>> ><BR>> > Jo=
in WASC on LinkedIn<BR>> > http://www.linkedin.com/e/gis/83336/4B20E4=
374DBA<BR>> ><BR>> ><BR>> > -----------------------------=
-----------------------------------------------<BR>> > Join us on IRC=
: irc.freenode.net #webappsec<BR>> ><BR>> > Have a question? Se=
arch The Web Security Mailing List Archives:<BR>> > http://www.webapp=
sec.org/lists/websecurity/archive/<BR>> ><BR>> > Subscribe via =
RSS:<BR>> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]<B=
R>> ><BR>> > Join WASC on LinkedIn<BR>> > http://www.link=
edin.com/e/gis/83336/4B20E4374DBA<BR>> ><BR>> ><BR>> <BR>>=
; <BR>> -- <BR>> ----<BR>> Zinho<BR>> <BR>> Webmaster and Fo=
under <BR>> <BR>> Hackers Center <BR>> Internet Security Portal<BR=
>> www.hackerscenter.com<BR>> <BR>> <BR>> ---------------------=
-------------------------------------------------------<BR>> Join us on =
IRC: irc.freenode.net #webappsec<BR>> <BR>> Have a question? Search T=
he Web Security Mailing List Archives: <BR>> http://www.webappsec.org/li=
sts/websecurity/archive/<BR>> <BR>> Subscribe via RSS: <BR>> http:=
//www.webappsec.org/rss/websecurity.rss [RSS Feed]<BR>> <BR>> Join WA=
SC on LinkedIn<BR>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA<BR>=
> <BR><BR><br /><hr />The other season of giving begins 6/24/08. Check o=
ut the i=92m Talkathon. <a href=3D'http://www.imtalkathon.com?source=3DTXT_=
EML_WLH_SeasonOfGiving' target=3D'_new'>Check it out!</a></body>
</html>=
--_dd32b1fa-f48c-4084-b9fc-ddfc9741a210_--
Brought to you by http://www.webappsec.org
Search this site
|