

HP Scrawlr: Harmlessly inject yourself to find your sql injection vulnerabilities - gscott
http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

======
tptacek
"A: Over the last several months, hackers have been using automated tools to
perform mass exploitation of hundreds of thousands of websites. The attackers
are using Google to find web applications built using Microsoft’s Active
Server Pages and then performing SQL Injection attacks against these sites
injecting various types of malware which are subsequently served to
unsuspecting visitors. Scrawlr was specifically designed to help web
developers test their website for SQL injection vulnerabilities that could be
exposed to an attacker through a search engine. As such, Scrawlr crawls a
websites using the same techniques as a search engine: it doesn’t keep state,
or submit forms, or execute JavaScript or Flash. To fully test your web
application for SQL Injection and other web vulnerabilities requires the use
of a full featured web vulnerability scanner such as HP WebInspect."

Surprise! A vulnerability is in the news, and a product company has released a
teaser product to address 5% of it!

HP Security is SPI Dynamics. SPI WebInspect was the best-regarded web security
scanner. But WebInspect is also the bane of the industry; as with all scanner
products, charlatan consultants run them, interpret the results, and call it a
(billable) day. Scrawlr looks like a fiercely cut-back version of the same
product.

~~~
tptacek
Next 10 people to upmod me? Free SQL injection refrigerator magnets. At least
as useful as Scrawlr, if not more so!

<http://www.matasano.com/log/1073/the-web-pest-poet/>

I'm not above buying my karma! =)

~~~
bobbytables
<script>alert("my panties in a knot")</script>

------
bayareaguy
A few years ago there was a fellow who gave a presentation at a PostgreSQL
user group. He demonstrated an easy to understand way to virtually eliminate
sql injections attacks. I can't find the paper now but if I recall properly it
worked by allowing you to specify a prototype of the kind of statement you
want to expand and then checking if the statement being prepared was
structurally equivalent to the prototype and then throwing an exception if
not. For example if you specify a prototype like

    
    
       select name from emp where {x = 1}
    

then you're telling the system that you want your where clause to have the AST
structure {variable operator constant}.

Then you let the application generate whatever sql it wants however it wants,
e.g.

    
    
       "select name from emp where x = " + $x
    

Then if the database server gets something like

    
    
       "select name from emp where x = x; delete * from emp"
    

The statement doesn't match the structure of the prototype and an error is
returned. This allows even a novice to specify the kind of sql they want to
allow without having to learn much.

------
aasarava
From the site: " * Will only crawls up to 1500 pages * Does not support sites
requiring authentication * Does not perform Blind SQL injection * Cannot
retrieve database contents * Does not support JavaScript or flash parsing *
Will not test forms for SQL Injection (POST Parameters)"

I'd say items 2 and 6 on that last make this tool pointless for the majority
of Web apps...

------
lakeeffect
Django quotes the user input by default, but definitely still worth running.
Good Find.

Another for you. <http://www.cirt.net/nikto2>

------
axod
_OR_ just use parameterization/prepared statements in all your SQL. Sort of a
no brainer.

