[prev in list] [next in list] [prev in thread] [next in thread]
List: owasp-dotnet
Subject: Re: [Owasp-dotnet] Fwd: FW: [WEB SECURITY] Announcing Scrawlr: SQL
From: "dinis cruz" <dinis.cruz () owasp ! org>
Date: 2008-07-26 9:50:32
Message-ID: 60235a7b0807260250q627539dw538f7ce59c69c024 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Mark, when you do put it up, can you also post details like the ones in
James comments.
It would be good to compile all these tools and document where/how they can
be used. This way, a developer (or security consultant) could make sure
they covered all bases.
http://www.owasp.org/index.php/.NET_Security_for_Developers is a good place
to start putting this information.
Ultimately, I would like to have a WIKI page (and maybe even an OWASP DotNet
book) which I could point developers to and say: 'Make sure you read and
understand all of that!'
Dinis
On Wed, Jun 25, 2008 at 1:36 AM, Mark Roxberry <mark.roxberry@owasp.org>wrote:
> Here's the Technet advisory, it includes the Scrawlr tool, URLScan 3.0 Beta
> and a source code analyzer for sql injection code smells:
>
> http://www.microsoft.com/technet/security/advisory/954462.mspx
>
> I'll put it up on the OWASP site.
> On Tue, Jun 24, 2008 at 7:23 PM, James Knowles <james@unwindsoftware.com>
> wrote:
>
> > Just picked it up. It has some limitations, but points them out.
> >
> > "This is a free tool and is intended to find SQL Injection vulnerabilities
> > on pages that hackers can discover using a simple crawler or google
> > query. This application mimics a search engine crawler and lacks the
> > advanced crawling and auditing features of tools such as WebInspect,
> > DevInspect, QAInspect, and AMP. Thus Scrawlr will only find SQL Injection
> > vulnerabilities on GET Parameters; Scrawler will not submit forms, nor audit
> > them. The list below summarizes the limitations:
> >
> > · 1500 Max Crawled URLs
> >
> > · No Script parsing during crawl
> >
> > · No Flash parsing during crawl
> >
> > · No form submissions during crawl (No POST Parameters)
> >
> > · Only simple proxy support
> >
> > · No authentication or login functionality
> >
> > · Does not check for blind SQL injection
> >
> > "
> >
> > Looks solid so far and well IHMO anything like this is great for the
> > general dev community to have and run against their site. They make the
> > limitation pretty clear and it will get the average dev thinking.
> >
> >
> >
> > I have a site I can put back onto my test server which has known SQL
> > injection problems, so tomorrow I will see how well it fairs with actually
> > positives. I have thrown only three sites at it at the moment all I knew
> > (read hoped ;-) were secure and seems to have indexed the pages and got
> > crawled them successful.
> >
> >
> >
> > Good step in the right direction,
> >
> >
> >
> > James
> >
> >
> >
> >
> >
> > *From:* owasp-dotnet-bounces@lists.owasp.org [mailto:
> > owasp-dotnet-bounces@lists.owasp.org] *On Behalf Of *Mark Roxberry
> > *Sent:* 24 June 2008 23:48
> > *To:* owasp-dotnet@lists.owasp.org
> > *Subject:* [Owasp-dotnet] Fwd: FW: [WEB SECURITY] Announcing Scrawlr: SQL
> > Injector and Crawler
> >
> >
> >
> > Scrawlr announcement - Microsoft / HP Collaborate on SQL Injection tool:
> >
> >
> >
> > https://download.spidynamics.com/Products/scrawlr/
> >
> > I haven't checked out the tool yet, if anyone has, please let the list
> > know.
> >
> >
> >
> > Regards,
> >
> >
> >
> > Mark
> >
> >
> >
> > > From: billy.hoffman@hp.com
> > > To: websecurity@webappsec.org
> > > Date: Tue, 24 Jun 2008 21:35:01 +0000
> > > Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
> > >
> > > In response to all the Mass SQL Injection attacks this year, Microsoft
> > approached HP and the Web Security Research Group (formerly SPI Labs) for
> > assistance. While there was nothing they could patch, Microsoft wanted to
> > provide tools to help developers find and fix these issues. After a month of
> > development HP created Scrawlr.
> > >
> > > Scrawlr (short for SQL Injector and Crawler) is a free tool that will
> > crawl a website while simultaneously analyzing the parameters of each
> > individual web page for SQL Injection vulnerabilities. Scrawlr was designed
> > specifically to help protect against these mass injection attack which are
> > using Google queries to find older web applications and automatically
> > injection them. As such, Scrawlr crawls a websites using the same techniques
> > as a search engine: it doesn't keep state, or submit forms, or execute
> > JavaScript or Flash. This Scrawl is finding and auditing the pages that
> > would have been indexed by the search engines.
> > >
> > > To reduce false positives Scrawlr provides proof of the vulnerability
> > results by displaying the type of backend database in use and a list of
> > available table names. There is no denying you have SQL Injection when I can
> > show you table names!
> > >
> > > Microsoft Announcement here:
> > http://www.microsoft.com/technet/security/advisory/954462.mspx
> > > HP WSRG Blog:
> > http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx
> >
> > > Download here: https://download.spidynamics.com/Products/scrawlr/
> > >
> > > Enjoy,
> > > Billy Hoffman
> > > --
> > > Manager, HP Web Security Research Group
> > > HP Software - Application Security Center
> > > Direct: 770-343-7069
> > >
> > >
> > >
> > ----------------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/archive/
> > >
> > > Subscribe via RSS:
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > >
> > > Join WASC on LinkedIn
> > > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> > >
> > ------------------------------
> >
> > Earn cashback on your purchases with Live Search - the search that pays
> > you back! Learn More<http://search.live.com/cashback/?&pkw=form=MIJAAF/publ=HMTGL/crea=earncashback>
> >
> >
> >
>
>
> _______________________________________________
> Owasp-dotnet mailing list
> Owasp-dotnet@lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-dotnet
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Mark, when you do put it up, can you also post details like the \
ones in James comments.<br><br>It would be good to compile all these tools and \
document where/how they can be used. This way, a developer (or security \
consultant) could make sure they covered all bases. <br> <br><a \
href="http://www.owasp.org/index.php/.NET_Security_for_Developers">http://www.owasp.org/index.php/.NET_Security_for_Developers</a> \
is a good place to start putting this information.<br><br>Ultimately, I would like to \
have a WIKI page (and maybe even an OWASP DotNet book) which I could point developers \
to and say: 'Make sure you read and understand all of that!'<br> \
<br>Dinis<br><br><div class="gmail_quote">On Wed, Jun 25, 2008 at 1:36 AM, Mark \
Roxberry <span dir="ltr"><<a \
href="mailto:mark.roxberry@owasp.org">mark.roxberry@owasp.org</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div>Here's the Technet \
advisory, it includes the Scrawlr tool, URLScan 3.0 Beta and a source code analyzer \
for sql injection code smells:</div><div class="Ih2E3d"> <div> </div>
<div><a href="http://www.microsoft.com/technet/security/advisory/954462.mspx" \
target="_blank">http://www.microsoft.com/technet/security/advisory/954462.mspx</a></div>
<div> </div>
</div><div>I'll put it up on the OWASP site.<br></div><div><div></div><div \
class="Wj3C7c"> <div class="gmail_quote">On Tue, Jun 24, 2008 at 7:23 PM, James \
Knowles <<a href="mailto:james@unwindsoftware.com" \
target="_blank">james@unwindsoftware.com</a>> wrote:<br> <blockquote \
style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; \
padding-left: 1ex;" class="gmail_quote"> <div vlink="purple" link="blue" \
lang="EN-US"> <div>
<p style="margin-bottom: 10pt; line-height: 115%;"><span style="font-size: 11pt; \
line-height: 115%;">Just picked it up. It has some limitations, but points them \
out.</span></p> <p style="margin-bottom: 10pt; line-height: 115%;"><span \
style="font-size: 11pt; line-height: 115%;">"This is a free tool and is intended \
to find SQL Injection vulnerabilities on pages that hackers can discover using a \
simple crawler or google query. This application mimics a search \
engine crawler and lacks the advanced crawling and auditing features of tools such as \
WebInspect, DevInspect, QAInspect, and AMP. Thus Scrawlr will only \
find SQL Injection vulnerabilities on GET Parameters; Scrawler will not submit forms, \
nor audit them. The list below summarizes the limitations:</span></p>
<p style="margin-left: 36pt; text-indent: -18pt;"><span style="font-size: 11pt; \
font-family: Symbol;">· </span><span style="font-size: 11pt;">1500 \
Max Crawled URLs</span></p> <p style="margin-left: 36pt; text-indent: -18pt;"><span \
style="font-size: 11pt; font-family: Symbol;">· </span><span \
style="font-size: 11pt;">No Script parsing during crawl</span></p> <p \
style="margin-left: 36pt; text-indent: -18pt;"><span style="font-size: 11pt; \
font-family: Symbol;">· </span><span style="font-size: 11pt;">No \
Flash parsing during crawl</span></p> <p style="margin-left: 36pt; text-indent: \
-18pt;"><span style="font-size: 11pt; font-family: Symbol;">· \
</span><span style="font-size: 11pt;">No form submissions during crawl (No POST \
Parameters)</span></p> <p style="margin-left: 36pt; text-indent: -18pt;"><span \
style="font-size: 11pt; font-family: Symbol;">· </span><span \
style="font-size: 11pt;">Only simple proxy support</span></p> <p style="margin-left: \
36pt; text-indent: -18pt;"><span style="font-size: 11pt; font-family: \
Symbol;">· </span><span style="font-size: 11pt;">No authentication \
or login functionality</span></p> <p style="text-indent: 18pt;"><span \
style="font-size: 11pt; font-family: Symbol;">· </span><span \
style="font-size: 11pt;">Does not check for blind SQL injection</span></p> <p><span \
style="font-size: 11pt; color: rgb(31, 73, 125);">"</span></p> <p><span \
style="font-size: 11pt; color: rgb(31, 73, 125);">Looks solid so far and well IHMO \
anything like this is great for the general dev community to have and run \
against their site. They make the limitation pretty clear and it will get the average \
dev thinking. </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">I have a site I can put \
back onto my test server which has known SQL injection problems, so tomorrow I will \
see how well it fairs with actually positives. I have thrown only three sites \
at it at the moment all I knew (read hoped ;-) were secure and seems to have indexed \
the pages and got crawled them successful. </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p><span style="font-size: 11pt; color: rgb(31, 73, 125);">Good step in the right \
direction, </span></p> <p><span style="font-size: 11pt; color: rgb(31, 73, \
125);"> </span></p> <p><span style="font-size: 11pt; color: rgb(31, 73, \
125);">James</span></p> <p><span style="font-size: 11pt; color: rgb(31, 73, \
125);"> </span></p> <p><span style="font-size: 11pt; color: rgb(31, 73, \
125);"> </span></p> <div style="border-style: solid none none; border-top: 1pt \
solid rgb(181, 196, 223); padding: 3pt 0cm 0cm;"> <p><b><span>From:</span></b><span> \
<a href="mailto:owasp-dotnet-bounces@lists.owasp.org" \
target="_blank">owasp-dotnet-bounces@lists.owasp.org</a> [mailto:<a \
href="mailto:owasp-dotnet-bounces@lists.owasp.org" \
target="_blank">owasp-dotnet-bounces@lists.owasp.org</a>] <b>On Behalf Of </b>Mark \
Roxberry<br>
<b>Sent:</b> 24 June 2008 23:48<br><b>To:</b> <a \
href="mailto:owasp-dotnet@lists.owasp.org" \
target="_blank">owasp-dotnet@lists.owasp.org</a><br><b>Subject:</b> [Owasp-dotnet] \
Fwd: FW: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler</span></p>
</div>
<div>
<div></div>
<div>
<p> </p>
<div>
<p>Scrawlr announcement - Microsoft / HP Collaborate on SQL Injection tool:</p></div>
<div>
<p> </p></div>
<div>
<p><a href="https://download.spidynamics.com/Products/scrawlr/" \
target="_blank">https://download.spidynamics.com/Products/scrawlr/</a></p></div> \
<div> <p>I haven't checked out the tool yet, if anyone has, please let the list \
know.</p></div> <div>
<p> </p></div>
<div>
<p>Regards,</p></div>
<div>
<p> </p></div>
<div>
<p style="margin-bottom: 12pt;">Mark</p></div>
<div>
<p style="margin-bottom: 12pt;"> </p>
<div>
<p style="margin-bottom: 12pt;">> From: <a href="mailto:billy.hoffman@hp.com" \
target="_blank">billy.hoffman@hp.com</a><br>> To: <a \
href="mailto:websecurity@webappsec.org" \
target="_blank">websecurity@webappsec.org</a><br>
> Date: Tue, 24 Jun 2008 21:35:01 +0000<br>> Subject: [WEB SECURITY] Announcing \
Scrawlr: SQL Injector and Crawler<br>> <br>> In response to all the Mass SQL \
Injection attacks this year, Microsoft approached HP and the Web Security Research \
Group (formerly SPI Labs) for assistance. While there was nothing they could patch, \
Microsoft wanted to provide tools to help developers find and fix these issues. After \
a month of development HP created Scrawlr.<br>
> <br>> Scrawlr (short for SQL Injector and Crawler) is a free tool that will \
crawl a website while simultaneously analyzing the parameters of each individual web \
page for SQL Injection vulnerabilities. Scrawlr was designed specifically to help \
protect against these mass injection attack which are using Google queries to find \
older web applications and automatically injection them. As such, Scrawlr crawls a \
websites using the same techniques as a search engine: it doesn't keep state, or \
submit forms, or execute JavaScript or Flash. This Scrawl is finding and auditing the \
pages that would have been indexed by the search engines.<br>
> <br>> To reduce false positives Scrawlr provides proof of the vulnerability \
results by displaying the type of backend database in use and a list of available \
table names. There is no denying you have SQL Injection when I can show you table \
names!<br>
> <br>> Microsoft Announcement here: <a \
href="http://www.microsoft.com/technet/security/advisory/954462.mspx" \
target="_blank">http://www.microsoft.com/technet/security/advisory/954462.mspx</a><br>> \
HP WSRG Blog: <a href="http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx" \
target="_blank">http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx</a><br>
> Download here: <a href="https://download.spidynamics.com/Products/scrawlr/" \
target="_blank">https://download.spidynamics.com/Products/scrawlr/</a><br>> \
<br>> Enjoy,<br>> Billy Hoffman<br>> --<br>> Manager, HP Web Security \
Research Group<br>
> HP Software - Application Security Center<br>> Direct: 770-343-7069<br>> \
<br>> <br>> ----------------------------------------------------------------------------<br>> \
Join us on IRC: <a href="http://irc.freenode.net/" \
target="_blank">irc.freenode.net</a> #webappsec<br>
> <br>> Have a question? Search The Web Security Mailing List Archives: \
<br>> <a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br>
> <br>> Subscribe via RSS: <br>> <a \
href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>> \
<br>> Join WASC on LinkedIn<br>> <a \
href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br>
> </p>
<div style="text-align: center;" align="center">
<hr align="center" size="2" width="100%">
</div>
<p>Earn cashback on your purchases with Live Search - the search that pays you back! \
<a href="http://search.live.com/cashback/?&pkw=form=MIJAAF/publ=HMTGL/crea=earncashback" \
target="_blank">Learn More</a></p></div></div>
<p> </p></div></div></div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
Owasp-dotnet mailing list<br>
<a href="mailto:Owasp-dotnet@lists.owasp.org">Owasp-dotnet@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-dotnet" \
target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-dotnet</a><br> \
<br></blockquote></div><br></div>
_______________________________________________
Owasp-dotnet mailing list
Owasp-dotnet@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-dotnet
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic