Re: Scrawlr & HacmeBank

HansEnders — Mon, 29 Sep 2008 20:11:52 GMT

Walker-SRS;

You are partly correct. Scrawlr will miss the SQLi vulns in HacmeBank due to its lightweight and free design aimed at the recent Microsoft attack vectors. Scrawlr was meant to specifically search for URL injection points via the GET method, and cannot authenticate. The SQLi vulns, both verbose and Blind, found on HacmeBank are forms found in the POST, specifically "txtUserName" and "txtPassword".

Here are the details on Scrawlr taken from this other forum posting: http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx?jumpid=reg_R1002_USEN

Technical details for Scrawlr

    * Identify Verbose SQL Injection vulnerabilities in URL parameters
    * Can be configured to use a Proxy to access the web site
    * Will identify the type of SQL server in use
    * Will extract table names (verbose only) to guarantee no false positives

Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool

    * Will only crawls up to 1500 pages
    * Does not support sites requiring authentication
    * Does not perform Blind SQL injection
    * Cannot retrieve database contents
    * Does not support JavaScript or flash parsing
    * Will not test forms for SQL Injection (POST Parameters)

Scrawlr & HacmeBank

Walker-SRS — Thu, 07 Aug 2008 11:28:27 GMT

I ran Scrawlr against Foundstones HacMe Bank web site, which is riddled with SQL Injection vulnerabilities, and it came up with nothing.

If the application cannot identify the base level vulnerabilities in a purposefully built vulnerable site, is it not leading others into a false sense of security?

Or am I missing something?