Saturday, July 05, 2008

More free (reg-ware) SQL injection help, this time its the “SQL Injector and Crawler” aka Scrawlr, from HP

The HP Security Laboratory - Finding SQL Injection with Scrawlr

“…

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Technical details for Scrawlr

  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives

Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool …”

As we move from handling OS to application vulnerabilities, these kinds of tools will come in handy. Of course, in a prefect world, this kind of scanning would be part of our Software Development Lifecycle, baked into our dev and build environments, etc. But then again, in a prefect world I’d have won the lotto already too. Reality is a gritty, dirty and ugly place where we just do what we have to do… (wow, can you tell it’s been a long week? lol  ;)

(via Hosam Kamel - Free SQL Injection Vulnerability Scanner By HP)

 

Related Past Post XRef:
ASP SQL Injection Source Code Analysis (CTP)

1 comment:

Dave Miller said...

One first sight, this is broken, as it reported my site as ok but after reading the helpful guide, I entered "or= as a parameter in the address bar and got the response Query failed. Once I corrected the error in my code the page was returned correctly.

Old code -

$query = "select * from pictures where cyear=$theyear" ;

$result = mysql_query($query) or die('Query failed');

Corrected with sngle quotes either side of $theyear -

$query = "select * from pictures where cyear='$theyear'" ;