Tuesday, June 24, 2008

Introducing HP Scrawlr

Interesting posting from the folks at HP Security Labs. Not sure if this is as capable as other SQL injectors already out there, but worth a look. Interesting note that they are packaging the Intelligent Engines on the backend with this tool.

[rip from HP blog site]

Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

  • Technical details for Scrawlr
  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives
  • Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool
  • Will only crawls up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

You can download Scrawlr by visiting the following link: