Posts Tagged hacking

SQL Injection Detection Tool: Scrawlr

Posted by admin on July 9, 2008  |  No Comments

Proactive SQL Injection combatants can download Scrawlr (for free) from HP’s web site. With Scrawlr, short for SQL Injector and Crawler, you can crawl a web site, analyze the parameters of each web page and check for potential SQL injection.

According to HP’s Erik Peterson, “Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Some of the things that Scrawlr can do include:

  • Identify verbose SQL injection vulnerabilities in URL parameters
  • Can be configured to use a proxy to access the web site
  • Identify the type of SQL Server in use
  • Extract table names (verbose only) to guarantee no false positives

As with most free things, there are some limitations as to what Scrawlr will and can do (obviously, HP would like to sell its professional-strength SQL Injection tools as well):

  • Scawlr will only crawl up to 1,500 pages
  • Scawlr will not support web sites that require user authentication (user name & password)
  • Scrawlr cannot retrieve database contents
  • Scrawlr does not test forms (POST parameters) for SQL Injection
  • Scrawlr does neither parse Flash nor JavaScript

If you’re not put off by those limitations, give Scrawlr a try. Because Scrawlr is free, it is not a supported product. However, there’s a Scrawlr forum, and HP encourages us to go there to post questions about the product.

Just in case you were wondering (as I was), yes, HP offers professional SQL Injection and Web Security tools as well. If you’re interested, log on to their web site (or GoogleO and look for DevInspect, QAInspect or WebInspect. All those tools, according to HP, “find SQL Injection and countless other security vulnerabilities. DevInspect can even inspect your source code for SQL Injection as well and guide developers through the process of fixing their code.”

 

Tags: ,

Tags:, ,

Filed Under: web security