Finding SQL Injection with Scrawlr

 Yes, we know that other blogs on this issue have included this comic, but it's just too perfect to not reference it


You have likely been tracking the mass SQL Injections that are currently sweeping through the net. Just last night I was shopping on www.ihomeaudio.com when I noticed they had been injected (they have since fixed their site). HP started to observe these attacks in January. They spread to over 500,000 sites by April before calming down and then picking up again in May. Most of the sites hit were initally Microsoft IIS ASP applications, causing many security companies to mistake this for some sort of new vulnerability in IIS and leading Microsoft to research the possibility, but alas, it's just our old friend, SQL Injection. Indeed we now see this attack hitting ASP and PHP sites and thanks to Google, it's easy to see just which sites out there have been hit.


While we were closely following the situation, the nice folks at Microsoft contacted us to see if we could work together to help people identify and cope with this issue. Together we quickly developed an action plan. The Microsoft Security Response Center (MSRC) was in a tough spot, hundreds of thousands of ASP sites were getting hacked, yet the vulnerability wasn't something Microsoft could release a patch for. SQL Injection is an issue that occurs because of poorly written web code interfacing with the web sites backend database and the solution was much more complicated than a simple patch. Developers were going to have to learn about security and were going to have to patch their code if they were going to solve this. Microsoft's Security Vulnerability Research & Defense has a blog about this problem as well where they share Microsoft's recomendations for this problem.


Now if you are no stranger to web security, you might be saying "well duh" right about now. Unfortunately to at least 500,000 sites on the Internet this concept is still pretty new and if you are one of the folks who are just now learning what SQL Injection is, I highly recomend you read HP's Web Security Research Group white papers on verbose and blind SQL injection located in our HP application security resource library.


Introducing HP Scrawlr



 



When Microsoft contacted us, they asked us to equip their customers with the tools necessary to quickly find SQL Injection vulnerabilities in their sites. HP's application security software, DevInspect, QAInspect and WebInspect all find SQL Injection and countless other security vulnerabilities. DevInspect can even inspect your source code for SQL Injection as well and guide developers through the process of fixing their code. But what if you need to just quickly look for SQL Injection before you decide how you are going handle the issue? We needed something quick, highly accurate and easy to download and install.


Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!


Technical details for Scrawlr



  • Identify Verbose SQL Injection vulnerabilities in URL parameters

  • Can be configured to use a Proxy to access the web site

  • Will identify the type of SQL server in use

  • Will extract table names (verbose only) to guarantee no false positives


Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool



  • Will only crawls up to 1500 pages

  • Does not support sites requiring authentication

  • Does not perform Blind SQL injection

  • Cannot retrieve database contents

  • Does not support JavaScript or flash parsing

  • Will not test forms for SQL Injection (POST Parameters)


Download Scrawlr


You can download Scrawlr by visiting the following link: https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?mcc=DNXA&jumpid=in_r11374_us/....


Scrawlr is offered as-is and is not a supported product. Assistance may be available from other Scrawlr users in our online Scrawlr forum located at http://www.communities.hp.com/securitysoftware/forums/198.aspx.


You can learn more about the HP Web Application Security Group and the HP Application Security Center by visiting our Security Community site at www.communities.hp.com/securitysoftware/ or by visiting our product information page at www.hp.com/go/securitysoftware/

Comments
| ‎06-24-2008 10:06 PM

In collaboration with SQL Server, IIS, and Hewlett Packard, the Microsoft Security Response Center (MSRC)

| ‎06-25-2008 03:52 AM

??????

| ‎06-25-2008 05:43 AM

Guys, what's the matter with your form on the download page? I've entered my true phone number in any combination I could think of, just to have the form return with "Please gimme a *valid* number". I'm surely not going to change my phone number for the sake of a piece of software. Well, I'm glad to tell you that 877-656-7058 was finally accepted. You should know the number - it's from the "contact HP" page!

Please explain to whoever made that form that not everybody on this planet has 10 digit phone numbers. Also, explaining clearly what your idea of a valid number looks like might be a sensible thing to do...

| ‎06-25-2008 08:05 AM

Pingback from  Microsoft: Rise in SQL Injection Attacks  | Infosecurity.US

| ‎06-25-2008 08:07 AM

Tried many times to download the scrawls- failed because in order to download i got to key in my phone number.  Everty  time i key in my phone  number, it will return me invalid phone number.  Pls advise regarding this matter.

| ‎06-25-2008 08:18 AM

The download page for this product needs to validate the input correctly as you cannot enter valid data only rubblish!

(seems the wrong way round to me).  For non US people e.g. UK . phone numbers are not exactly 10 digits and postal codes are not exactly 5 digits.

| ‎06-25-2008 08:21 AM

Unable to download Scrawlr due form registration complains on phonenumber input. Even it is correct.

| ‎06-25-2008 08:23 AM

When I went to download scrawlr I found that the code checking the form fields for zip and phone number is broken for non US locations. It tries to enforce a US format ZIP code (our postcodes have 4 digits) and some sort of phone number that appears to choke on an international dialling prefix. This despite selecting "outside US" from the dropdown. Consequently I had to make up fields that would get past the checks which makes their entry pretty pointless for HP.

| ‎06-25-2008 09:39 AM

Oh dear. This "useful" tool is clearly going to be used by hackers (or worse - script kiddies) to determine which sites are vulnerable! I mean how perfect a tool can a hacker ask for - this thing even gives them the table names!

| ‎06-25-2008 12:54 PM

whats new in this tool ...lot of tool in market like this

| ‎06-25-2008 01:12 PM

if only we could download outside of us - keeps throwing back invalid zip/postal code on download page

| ‎06-25-2008 01:46 PM

"Will not test forms for SQL Injection (POST Parameters)"

I think that the tool is pretty useless without testing forms, don't you?

| ‎06-25-2008 02:07 PM

Interesting stuff.  Hey we're a hosting provider and are considering implementing a new security policy requiring that all customers hosting web applications on our servers modify their code to read from read-only datasources and write to write-only datasources.  SQL injections an admittedly still be executed on the write datasources, but we think it might at least slow hackers down and provide an additional layer of security.  Think it's worth the trouble?  Is this a common practice?  Thanks!

| ‎06-25-2008 05:10 PM

I will be getting back to the "Day in the Life of the DBA" series of posts, but I got this from the security

| ‎06-25-2008 05:55 PM

Doesnt' support POST forms or Javascript. In other words, this demo tool can't actually test anything that any web developer would have written since, oh, say 2001.

Epic fail.

| ‎06-25-2008 05:59 PM

In response to edddy:

update footable set last_name="Jones" where row_id="47";

Write-only users tend to be useless if you ever have to update rows based upon criteria. Assuming your users do more than keep a database of page hits, your solution has a serious problem.

| ‎06-25-2008 06:11 PM

Hi everyone, thanks for your feedback, a lot of people are pretty critical about our decision to not include testing of POST parameters. we thought about it, but the original scope of this tool was to find the same types SQL injection vulns that were recently responsible for the compromise of over 500,000 sites (some estimates suggest 2 million sites). I know, most people would think something like this wouldn't be so prevalent but it would seem that the majority of web sites are still developed without regard to security issues. It's out hope with this tool that we can build awareness of this issue and help folks out there justify the need to consider security issues when they are building and testing their applications. If folks have feature requests or other rants and raves, please feel free to let us know in our Scrawlr forum at www.communities.hp.com/.../198.aspx

Thanks!

| ‎06-26-2008 06:53 AM

This is similar to many tools available in the hacker community.

Re modified code ? ahem....

| ‎06-26-2008 06:55 AM

itz totally useless ... in market already lot of tool like this.

itz not proper crawling thing !

| ‎06-26-2008 01:25 PM

It would be nice if the tool could use cookies from previous authentications or allow the tester to input their credentials prior to initiating the crawl.  Without one of these features, the tool can't crawl websites that require authentication so it's not very useful.  

| ‎06-26-2008 04:29 PM

Is this tool just a subset of HP/SPI Dynamics' SQL Injector tool?  If I already own that own, should I bother with this tool?

| ‎06-26-2008 06:45 PM

Reply to Richard Jackson:

SQL injection can be used to steal data on a read-only database (such as account numbers and addresses).  It can also be used to run code on the server if the DB engine hasn't been hardened.  Your suggested limitations do not add protection but will instead break some well designed sites.

| ‎06-27-2008 12:10 AM

We Mac users need to be able to check the vulnerabilities of our web sites too, but we can't use the MSI file. Are there any plans to create software that I can use on OSX?

| ‎06-27-2008 10:28 AM

thanks for the info

| ‎06-30-2008 10:41 AM

The comic is xkcd http://xkcd.com/

The tool is useless, scrawl is entirely unable to detect even the simplest vulnerabilities, i went as far as pasting an example injection into the url bar and it okayed that!!! I also have an intentionally vulnerable site with local only access that we are using to configure our new IDS and it didn't find a thing... seriously, if you take anything away from this, let it be the comic.

| ‎07-01-2008 09:54 AM

HP make hacking tools? *** OFF, newb cakes

| ‎07-01-2008 06:51 PM

Erik, If's tough trying to "train" developers, seems they are all from the "show me" state. Raising awareness is nice, getting in the face of developers with their tablenames is much nicer, finding the offensive code to protect an infrastructure is best. You get us 5/8 of the way there.

| ‎07-05-2008 12:45 AM

Pingback from  A Promenade Digital Life??? -   Scrawlr: Functional SQL Injector Tool

| ‎07-08-2008 07:50 AM

Well the tool is pretty cool, but there is a glitch in one of the scripts that reads out the database. The tool performs a: select cast(db_name(dbid) as int)  from master..sysprocesses where spid=@@SPID

which when encrypted looks like:

(select+cast(CHAR(+127+)%2bdb_name(dbid)%2bCHAR(+127+)+as+int)++from+master..sysprocesses+where+spid%3d%40%40SPID)

The script should in fact read:

(select+cast(CHAR(+127+)%2bdb_name(dbid)%2bCHAR(+127+)+as+nvarchar)++from+master..sysprocesses+where+spid%3d%40%40SPID)

The cast has to be to nvarchar instead of int to be able to read out the database name. :-)

Roll on developers for version 2.0?

| ‎07-10-2008 07:51 AM

In collaboration with SQL Server, IIS, and Hewlett Packard, the Microsoft Security Response Center (MSRC)

| ‎07-10-2008 07:51 AM

In collaboration with SQL Server, IIS, and Hewlett Packard, the Microsoft Security Response Center (MSRC)

| ‎07-10-2008 07:53 AM

Pingback from  New tools enhance SQL Server security « Circuitous windings in thought

| ‎07-14-2008 08:47 PM

Poorly written web code is one of the most causes of sql injection!.


Interesting post.


F.


| ‎07-17-2008 04:15 PM

I just tried to run this on my site.

It keeps saying scan did not complete (Scrawl limit reached).

| ‎07-19-2008 04:54 AM

This tool seriously needs a requirement that you place a certain file in the root of your website before it will scan.  This is what Google Apps does to make sure you own the domain (or at least have access to change the files in it).  Without this feature in place, this tool will do as much harm as it does good.

That said, this is an awesome tool.  I have been looking for something like this for months, and I have patched my site in a matter of minutes.

| ‎07-22-2008 10:57 AM

Pingback from  Scrawlr - check *your* website for SQL injections | SecurityGuy.org

| ‎07-22-2008 04:54 PM

What sort of 'injection' can happen without a field to inject sql into?  And so, what sort of injection can happen witthout POST and form support?  

I'm afraid I don't see the use of this.

| ‎07-23-2008 08:34 AM

I ran scrawlr on my site as I had already been infected once

However the page htat was infected was not in the list of pages scanned

Has anyone any ideas what is the problem?

| ‎07-24-2008 06:26 PM

The author of this article may want to visibly acknowledge xkcd.com as the source of the comic strip to avoid being a ***.

| ‎08-01-2008 04:22 AM

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

| ‎08-01-2008 04:29 AM

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

| ‎08-06-2008 08:09 AM

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

| ‎08-06-2008 02:00 PM

Pingback from  » New tools enhance SQL Server security | SQL Server Feeds

| ‎08-11-2008 08:01 PM

my site got hit thought id use this but it doesnt help at all. nothing is vulnerable.

| ‎08-13-2008 12:00 AM

Pingback from  greg hughes - dot net - SQL Injection attacks in the wild - why they're working and what to do

| ‎08-14-2008 04:11 AM

Pingback from  Finding SQL Injection vulnerabilities on your site

| ‎08-30-2008 05:05 AM

Just curious how it works & what it searches for. I tested it on a site with know vulnerabilities and it didn't find any...

| ‎09-21-2008 03:23 PM

Pingback from  Como testar se meu site est?? vunelr??vel? | Sql Injection

| ‎02-23-2009 04:34 AM

Pingback from  Finding XSS in your database with Scrubbr « omg.wtf.bbq.

| ‎03-11-2009 07:02 AM

Pingback from  BeCouZ  :  10 Tips to Fixes the Worst Security Problems on PC

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.