United States-English
» Home - Tab
Blogs - Tab - Selected
» Forums - Tab

The HP Security Laboratory

Finding SQL Injection with Scrawlr

Published 24 June 2008, 01:00 PM

 Yes, we know that other blogs on this issue have included this comic, but it's just too perfect to not reference it

You have likely been tracking the mass SQL Injections that are currently sweeping through the net. Just last night I was shopping on www.ihomeaudio.com when I noticed they had been injected (they have since fixed their site). HP started to observe these attacks in January. They spread to over 500,000 sites by April before calming down and then picking up again in May. Most of the sites hit were initally Microsoft IIS ASP applications, causing many security companies to mistake this for some sort of new vulnerability in IIS and leading Microsoft to research the possibility, but alas, it's just our old friend, SQL Injection. Indeed we now see this attack hitting ASP and PHP sites and thanks to Google, it's easy to see just which sites out there have been hit.

While we were closely following the situation, the nice folks at Microsoft contacted us to see if we could work together to help people identify and cope with this issue. Together we quickly developed an action plan. The Microsoft Security Response Center (MSRC) was in a tough spot, hundreds of thousands of ASP sites were getting hacked, yet the vulnerability wasn't something Microsoft could release a patch for. SQL Injection is an issue that occurs because of poorly written web code interfacing with the web sites backend database and the solution was much more complicated than a simple patch. Developers were going to have to learn about security and were going to have to patch their code if they were going to solve this. Microsoft's Security Vulnerability Research & Defense has a blog about this problem as well where they share Microsoft's recomendations for this problem.

Now if you are no stranger to web security, you might be saying "well duh" right about now. Unfortunately to at least 500,000 sites on the Internet this concept is still pretty new and if you are one of the folks who are just now learning what SQL Injection is, I highly recomend you read HP's Web Security Research Group white papers on verbose and blind SQL injection located in our HP application security resource library.

Introducing HP Scrawlr

 

When Microsoft contacted us, they asked us to equip their customers with the tools necessary to quickly find SQL Injection vulnerabilities in their sites. HP's application security software, DevInspect, QAInspect and WebInspect all find SQL Injection and countless other security vulnerabilities. DevInspect can even inspect your source code for SQL Injection as well and guide developers through the process of fixing their code. But what if you need to just quickly look for SQL Injection before you decide how you are going handle the issue? We needed something quick, highly accurate and easy to download and install.

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Technical details for Scrawlr

  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives

Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool

  • Will only crawls up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

Download Scrawlr

You can download Scrawlr by visiting the following link: https://download.spidynamics.com/products/scrawlr/

Scrawlr is offered as-is and is not a supported product. Assistance may be available from other Scrawlr users in our online Scrawlr forum located at http://www.communities.hp.com/securitysoftware/forums/198.aspx

You can learn more about the HP Web Application Security Group and the HP Application Security Center by visiting our Security Community site at www.communities.hp.com/securitysoftware/ or by visiting our product information page at www.hp.com/go/securitysoftware/

Posted By erik.peterson | 31 Comments | Trackbacks | Permalink
Filed under: , , ,


Comments

In collaboration with SQL Server, IIS, and Hewlett Packard, the Microsoft Security Response Center (MSRC)

# Tuesday, June 24, 2008 09:06 PM by The Data Platform Insider

Pingback from  Microsoft: Rise in SQL Injection Attacks  | Infosecurity.US

# Wednesday, June 25, 2008 07:05 AM by Microsoft: Rise in SQL Injection Attacks | Infosecurity.US

When I went to download scrawlr I found that the code checking the form fields for zip and phone number is broken for non US locations. It tries to enforce a US format ZIP code (our postcodes have 4 digits) and some sort of phone number that appears to choke on an international dialling prefix. This despite selecting "outside US" from the dropdown. Consequently I had to make up fields that would get past the checks which makes their entry pretty pointless for HP.

# Wednesday, June 25, 2008 07:23 AM by Paul Cuthbert

Oh dear. This "useful" tool is clearly going to be used by hackers (or worse - script kiddies) to determine which sites are vulnerable! I mean how perfect a tool can a hacker ask for - this thing even gives them the table names!

# Wednesday, June 25, 2008 08:39 AM by Aleem

if only we could download outside of us - keeps throwing back invalid zip/postal code on download page

# Wednesday, June 25, 2008 12:12 PM by ibanyard

"Will not test forms for SQL Injection (POST Parameters)"

I think that the tool is pretty useless without testing forms, don't you?

# Wednesday, June 25, 2008 12:46 PM by edddy

Interesting stuff.  Hey we're a hosting provider and are considering implementing a new security policy requiring that all customers hosting web applications on our servers modify their code to read from read-only datasources and write to write-only datasources.  SQL injections an admittedly still be executed on the write datasources, but we think it might at least slow hackers down and provide an additional layer of security.  Think it's worth the trouble?  Is this a common practice?  Thanks!

# Wednesday, June 25, 2008 01:07 PM by Richard Jackson

I will be getting back to the "Day in the Life of the DBA" series of posts, but I got this from the security

# Wednesday, June 25, 2008 04:10 PM by Carpe Datum

Doesnt' support POST forms or Javascript. In other words, this demo tool can't actually test anything that any web developer would have written since, oh, say 2001.

Epic fail.

# Wednesday, June 25, 2008 04:55 PM by Mark H.

In response to edddy:

update footable set last_name="Jones" where row_id="47";

Write-only users tend to be useless if you ever have to update rows based upon criteria. Assuming your users do more than keep a database of page hits, your solution has a serious problem.

# Wednesday, June 25, 2008 04:59 PM by Mark H.

Hi everyone, thanks for your feedback, a lot of people are pretty critical about our decision to not include testing of POST parameters. we thought about it, but the original scope of this tool was to find the same types SQL injection vulns that were recently responsible for the compromise of over 500,000 sites (some estimates suggest 2 million sites). I know, most people would think something like this wouldn't be so prevalent but it would seem that the majority of web sites are still developed without regard to security issues. It's out hope with this tool that we can build awareness of this issue and help folks out there justify the need to consider security issues when they are building and testing their applications. If folks have feature requests or other rants and raves, please feel free to let us know in our Scrawlr forum at www.communities.hp.com/.../198.aspx

Thanks!

# Wednesday, June 25, 2008 05:11 PM by erik.peterson

It would be nice if the tool could use cookies from previous authentications or allow the tester to input their credentials prior to initiating the crawl.  Without one of these features, the tool can't crawl websites that require authentication so it's not very useful.  

# Thursday, June 26, 2008 12:25 PM by LS

Is this tool just a subset of HP/SPI Dynamics' SQL Injector tool?  If I already own that own, should I bother with this tool?

# Thursday, June 26, 2008 03:29 PM by SPI Customer

Reply to Richard Jackson:

SQL injection can be used to steal data on a read-only database (such as account numbers and addresses).  It can also be used to run code on the server if the DB engine hasn't been hardened.  Your suggested limitations do not add protection but will instead break some well designed sites.

# Thursday, June 26, 2008 05:45 PM by Evan Barr

We Mac users need to be able to check the vulnerabilities of our web sites too, but we can't use the MSI file. Are there any plans to create software that I can use on OSX?

# Thursday, June 26, 2008 11:10 PM by Mac Guy

thanks for the info

# Friday, June 27, 2008 09:28 AM by Robert Evans

Erik, If's tough trying to "train" developers, seems they are all from the "show me" state. Raising awareness is nice, getting in the face of developers with their tablenames is much nicer, finding the offensive code to protect an infrastructure is best. You get us 5/8 of the way there.

# Tuesday, July 01, 2008 05:51 PM by CHarles C.

Pingback from  A Promenade Digital Life??? -   Scrawlr: Functional SQL Injector Tool

# Friday, July 04, 2008 11:45 PM by A Promenade Digital Life??? - Scrawlr: Functional SQL Injector Tool

Well the tool is pretty cool, but there is a glitch in one of the scripts that reads out the database. The tool performs a: select cast(db_name(dbid) as int)  from master..sysprocesses where spid=@@SPID

which when encrypted looks like:

(select+cast(CHAR(+127+)%2bdb_name(dbid)%2bCHAR(+127+)+as+int)++from+master..sysprocesses+where+spid%3d%40%40SPID)

The script should in fact read:

(select+cast(CHAR(+127+)%2bdb_name(dbid)%2bCHAR(+127+)+as+nvarchar)++from+master..sysprocesses+where+spid%3d%40%40SPID)

The cast has to be to nvarchar instead of int to be able to read out the database name. :-)

Roll on developers for version 2.0?

# Tuesday, July 08, 2008 06:50 AM by John Ness / DBA

In collaboration with SQL Server, IIS, and Hewlett Packard, the Microsoft Security Response Center (MSRC)

# Thursday, July 10, 2008 06:51 AM by Architecture + Strategy

In collaboration with SQL Server, IIS, and Hewlett Packard, the Microsoft Security Response Center (MSRC)

# Thursday, July 10, 2008 06:51 AM by MicrosoftSoCalArchitectBlog

Pingback from  New tools enhance SQL Server security « Circuitous windings in thought

# Thursday, July 10, 2008 06:53 AM by New tools enhance SQL Server security « Circuitous windings in thought

Poorly written web code is one of the most causes of sql injection!.

Interesting post.

F.

# Monday, July 14, 2008 07:47 PM by Francesco

I just tried to run this on my site.

It keeps saying scan did not complete (Scrawl limit reached).

# Thursday, July 17, 2008 03:15 PM by Joe

Pingback from  Scrawlr - check *your* website for SQL injections | SecurityGuy.org

# Tuesday, July 22, 2008 09:57 AM by Scrawlr - check *your* website for SQL injections | SecurityGuy.org

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

# Friday, August 01, 2008 03:22 AM by » New tools enhance SQL Server security | SQL Server Feeds

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

# Friday, August 01, 2008 03:29 AM by » New tools enhance SQL Server security | SQL Server Feeds

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

# Wednesday, August 06, 2008 07:09 AM by » New tools enhance SQL Server security | SQL Server Feeds

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

# Wednesday, August 06, 2008 01:00 PM by » New tools enhance SQL Server security | SQL Server Feeds

Pingback from  greg hughes - dot net - SQL Injection attacks in the wild - why they're working and what to do

# Tuesday, August 12, 2008 11:00 PM by greg hughes - dot net - SQL Injection attacks in the wild - why they're working and what to do

Pingback from  Finding SQL Injection vulnerabilities on your site

# Thursday, August 14, 2008 03:11 AM by Finding SQL Injection vulnerabilities on your site

Leave a Comment

(required)  
(optional)
(required)  


Type the digits above:
Submit »
Information disclosed in this community becomes public. Exercise caution when deciding to disclose your personal information. HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable.  Opinions expressed are your personal opinions or those of the original authors, and not of HP. Please see HP's web Terms of Use for more details.