[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler

From: Paul Schmehl <pschmehl_lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Date: Wed, 25 Jun 2008 20:50:16 -0500

--==========9C48E51A3D987174C3DA==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On June 25, 2008 10:43:52 AM +0200 "Sven Vetsch / Disenchant"=20
<sven.vetsch@disenchant.ch> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Why haven't HP and the Web Security Research Group not added this
> functionality to an already existing SQL Injection Scanner? I'm not sure
> about this but isn't there a big chance, that developers or even
> security people without deeper webappsec knowledge think, that Scrawlr
> can find all SQL Injections for them because behind it they'll find the
> names HP and Microsoft? If this becomes the case, we'll have much bigger
> problems than we actually have because as already mentioned by Billy,
> it's *not* a replacement for tools like Absinthe, etc. and so developers
> will not find any form based SQL Injections if they don't use other
> scanners too.
>

Geez, you don't give us much credit.

We own WebInspect and use it routinely to find problems in sites on our=20
network.  Yet I was pleased to read this announcement because this tool=20
*may* find problems faster than we can do with WI alone.

I don't know what world you live in, but in mine I can assure you that the =

name Microsoft does not engender confidence regarding security issues.  In =

fact it's a pet peeve of mine that so many of the commercial security=20
vendors sell products that only run on MS products.  It's like chalk on a=20
blackbaord to me.

The name HP engenders - not much of anything wrt security.  They are a=20
johnny-come-lately to the field and will have to prove themselves before=20
they gain my confidence.

Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

--==========9C48E51A3D987174C3DA==========
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64

MIIO7gYJKoZIhvcNAQcCoIIO3zCCDtsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3
DQEHAaCCDFwwggV1MIIE3qADAgECAhAxxWbtEfZaUjaDZLSj5PqQMA0GCSqGSIb3
DQEBBQUAMIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0
ZW0xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRl
cm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5
MTIwMAYDVQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2Ny
aWJlcjEtMCsGA1UEAxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFz
IENBMB4XDTA3MTAwODAwMDAwMFoXDTA4MTAwNzIzNTk1OVowgfYxJzAlBgNVBAoU
HlRoZSBVbml2ZXJzaXR5IG9mIFRleGFzIFN5c3RlbTEtMCsGA1UECxQkVGhlIFVu
aXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENBMUYwRAYDVQQLEz13d3cudmVy
aXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTIEluY29ycC4gYnkgUmVmLixMSUFCLkxU
RChjKTk5MRgwFgYDVQQLFA9NYWlsIFN0b3AgLSBVVEQxFzAVBgNVBAMTDlBhdWwg
TCBTY2htZWhsMSEwHwYJKoZIhvcNAQkBFhJwYXVsc0B1dGRhbGxhcy5lZHUwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALVzB0IIkR8iraIfDdWB1EZ1/Gbg7Rm6
yQuLIUlemm3awYksmEOPKqL2YQxGhCvbVq/IYcoGuT+WEaxuwN86uIkP/kOReQDO
tMHyy/sA1XaxpoS0ezjwHasNH1f63yZbFkQiwSuWQOvdXlLqtJ9E2UrzbqVWdqlr
FzzeZwP5DipHAgMBAAGjggIMMIICCDAJBgNVHRMEAjAAMB0GA1UdEQQWMBSBEnBh
dWxzQHV0ZGFsbGFzLmVkdTCCASQGA1UdIASCARswggEXMIIBEwYLYIZIAYb4RQEH
AQYwggECMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBh
LWtyMIHSBggrBgEFBQcCAjCBxRqBwk5PVElDRTogUHJpdmF0ZSBrZXkgbWF5IGJl
IHJlY292ZXJlZCBieSBWZXJpU2lnbidzIGN1c3RvbWVyIHdobyBtYXkgYmUgYWJs
ZSB0byBkZWNyeXB0IG1lc3NhZ2VzIHlvdSBzZW5kIHRvIGNlcnRpZmljYXRlIGhv
bGRlci4gIFVzZSBpcyBzdWJqZWN0IHRvIHRlcm1zIGF0IGh0dHBzOi8vd3d3LnZl
cmlzaWduLmNvbS9ycGEta3IgKGMpOTkuMBEGCWCGSAGG+EIBAQQEAwIHgDB1BgNV
HR8EbjBsMGqgaKBmhmRodHRwOi8vb25zaXRlY3JsLnZlcmlzaWduLmNvbS9UaGVV
bml2ZXJzaXR5b2ZUZXhhc1N5c3RlbVRoZVVuaXZlcnNpdHlvZlRleGFzYXREYWxs
YXNDQS9MYXRlc3RDUkwuY3JsMAsGA1UdDwQEAwIFIDAdBgNVHSUEFjAUBggrBgEF
BQcDBAYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAT6Pe5vS1wCy6fAnTHJT5
GkqxV3ro1CmSiwCkC84vI4TUbxsbVAYuvafQw1H137mxYACJ73UwYnI8WhDKPYlR
y1QEnq7uwanNPtXtWTSxvOXtb2w4rGiXX9fkLfslmkX8jNgC7uMx8H39VBe90ob6
rURohgP1DsYwpJZF9SgoCeIwggPYMIIDQaADAgECAhBB7B89pxQHlsT21Qzd0Q9l
MA0GCSqGSIb3DQEBBQUAMIHBMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNp
Z24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlm
aWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMxKGMpIDE5OTggVmVyaVNp
Z24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEfMB0GA1UECxMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazAeFw05OTAzMzEwMDAwMDBaFw0wOTAzMzAyMzU5
NTlaMIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBvZiBUZXhhcyBTeXN0ZW0x
HzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOzA5BgNVBAsTMlRlcm1z
IG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhIChjKTk5MTIw
MAYDVQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2aWR1YWwgU3Vic2NyaWJl
cjEtMCsGA1UEAxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4YXMgYXQgRGFsbGFzIENB
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/6u+H6x4KwQD5IhHB0cHM23ra
vjbScGAwYOUZ4FMvNfTJqCkF1t49nfMGmmR9vtGHVHib/6J48fuHq8P8h0zCSUEN
4cDSpdf8fv9CUU508wHVaHOlXQQx+OYpJWOoI5pEaoGLD7A58e/bRljDurjPS/N6
waJJlYMjQ7qbGo8yhQIDAQABo4GlMIGiMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQD
ExFQcml2YXRlTGFiZWwxLTE0MDARBglghkgBhvhCAQEEBAMCAQYwRAYDVR0gBD0w
OzA5BgtghkgBhvhFAQcBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJp
c2lnbi5jb20vUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBBQUAA4GBAFMJtdyytonRIFCDyTh53MgIskm/uFODb4rMsuR6fPyj6A9f
YV5flwSVElrSlQEi8bzt8VS2VKZUGKGdVLwGaQTHAiE3ooI5iKesoJ/ogxldkkg5
GlmCJCBDvIaVEtyDdOHm4xO+aqSHADExIwclm6+6LFGRDlmmoxeI0rTOVBccMIID
AzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIHBMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNz
IDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6
MDgGA1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAeFw05
ODA1MTgwMDAwMDBaFw0yODA4MDEyMzU5NTlaMIHBMQswCQYDVQQGEwJVUzEXMBUG
A1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGljIFBy
aW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMxKGMp
IDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTEf
MB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjMHiwS
Viy4AWkszJkfrbCWrnkE8hM5wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjwDqL7
MWzJ5m+ZJwf15vRMeJ5t60aG+rmGyVTyssSv1EYcWskVMP8NbPUtDm3Of3cCAwEA
ATANBgkqhkiG9w0BAQUFAAOBgQByLvl/0fFx+8Se9sVeUYpAmLho+Jscg9jinb3/
7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8GOSN+a7xDAXrXfM
STWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32eg9K0yZF6xRnInjBJ7
xUS0rjGCAlowggJWAgEBMIH/MIHqMScwJQYDVQQKEx5UaGUgVW5pdmVyc2l0eSBv
ZiBUZXhhcyBTeXN0ZW0xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsx
OzA5BgNVBAsTMlRlcm1zIG9mIHVzZSBhdCBodHRwczovL3d3dy52ZXJpc2lnbi5j
b20vcnBhIChjKTk5MTIwMAYDVQQLEylDbGFzcyAyIENBIC0gT25TaXRlIEluZGl2
aWR1YWwgU3Vic2NyaWJlcjEtMCsGA1UEAxMkVGhlIFVuaXZlcnNpdHkgb2YgVGV4
YXMgYXQgRGFsbGFzIENBAhAxxWbtEfZaUjaDZLSj5PqQMAkGBSsOAwIaBQCggbEw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwNjI2
MDE1MDI2WjAjBgkqhkiG9w0BCQQxFgQUZjRqFOjnpygo2Rfc5C9NWFCs5nAwUgYJ
KoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE
gYBzJxLo1wStlgGNyr2pDfkKKCdkTuam7rDI0JCPVmLvlD7yaBCCnWavyfrt+rV7
wxd/AqMabxcc3WXAhYbtdabmuIXDS1OISG14FDcjhZ2H11kvliofYSgo8jXYFL2A
2OhnSsd0DzlsIW2d/8vblRKMfDxR222he3S5zS5eukK/nw==

--==========9C48E51A3D987174C3DA==========--

References:
- [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Hoffman, Billy
- Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
  - From: Sven Vetsch / Disenchant

Prev by Date: Re: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Next by Date: [WEB SECURITY] OWASP 2008 USA, NYC
Previous by thread: RE: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
Next by thread: [WEB SECURITY] Security testing
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site