Aspect Security has just released, through OWASP, a new tool called "Scrubbr". Scrubbr is a Java program which connects to your database (MySQL 5+, MS SQL 2005+, and Oracle) directly and analyzes databases or specific tables looking for XSS strings. The strings are defined via an XML--it comes with files from the OWASP AntiSamy project, but can be customized as needed.

To try it out, I used a phpBB 3.x installation and manually inserted a simple XSS string into the post_text field of a post. Scrubbr gave an error when I tried to scan the entire database, but when I selected the posts table it ran and correctly identified the string. After the scanis complete, an alert window will appear which shows any findings. You can see the column in red was identified as containing an XSS string.

From here, there is a button to explain why a field was flagged. On this string, it showed:

This is farily obvious in this case, but may not always be true--especially if it's a db or site admin running this tool rather than a security person. This extra information may be beneficial to them.

Scrubbr has one further option I decided to try, which is the magic "Fix" button. The documentation has a bunch of disclaimers about using this feature (as it should), but I pressed on and... unfortunately it didn't replace the attack string as it promised, but rather blanked the post_text field entirely. As a security dude, I call that "fixed" but your application owner may disagree!

 Despite the minor flaws (and no one should be pressing "Fix" on their production database!), Scrubbr is a pretty awesome tool to add to your kit if you're an auditor or site administrator. Despite our best efforts, security is not 100%--whether the attack vector comes from slow patching, laziness or a shiny new 0day--sometimes they sneak through.  This tool can help you clean up after a successful attack, or give you ongoing peace of mind that nothing fishy happened while you were sleeping. Like all new software, there will be some bugs but I imagine with a little feedback they'll be ironed out soon enough. Kudos to Arshan Dabirsiaghi for writing this, and for Aspect releasing it through OWASP.

You can download Scrubbr here.