HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Top Five Web Application Vulnerabilities 10/27/09 - 11/8/09

1) HP Power Manager Management Web Server Login Remote Code Execution Vulnerability


HP Power Manager is susceptible to a remote code execution vulnerability via the login form of the web based management web server due to improper bounds-checking of user-supplied data. Exploitation of this vulnerability can give an attacker the means to enact SYSTEM level commands and possibly lead to a complete compromise of the affected system. Even failed attempts will likely cause a denial-of-service condition. Updates which resolve this issue have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/36933


2) Oracle WebLogic Server Administration Console HTML Injection Vulnerability


Oracle WebLogic Server is susceptible to an HTML Injection vulnerability via the Web Administration Console. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which address this issue are available. Contact the vendor for more details.


http://www.securityfocus.com/bid/36766


3) Xerox Fiery WebTools 'summary.php' SQL Injection Vulnerability


Xerox Fiery WebTools is susceptible to a SQL Injection vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. A fix has not yet been released. Contact the vendor for more information.


http://www.securityfocus.com/bid/36906


4) IBM Lotus Connections Mobile Activities Pages Cross-Site Scripting Vulnerability


IBM Lotus Connections is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue have been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/36831


5) Roundcube Webmail Multiple Cross-Site Request Forgery Vulnerabilities


Roundcube Webmail is susceptible to multiple instances of Cross-Site Request Forgery. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains. Updates which resolve these issues have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/36920

Top Five Web Application Vulnerabilities 10/12/09 - 10/25/09

1) TYPO3 Core Multiple Vulnerabilities


TYPO3 is susceptible to multiple remote vulnerabilities including SQL-injection, Cross-Site Scripting, information disclosure, frame and session hijacking, and shell-command-execution issues. Each of these issues is exploitable via a browser, although some might require a valid backend login. If exploited, these vulnerabilities could lead to a complete compromise of the application, the theft of confidential information and authentication credentials, hijacked user sessions, or execution of arbitrary commands in context of the web server process. Updates which resolve these issues are available. Contact the vendor for additional details.


http://www.securityfocus.com/bid/36801


2) IBM Rational RequisitePro ReqWebHelp Multiple Cross-Site Scripting Vulnerabilities


IBM Rational RequisitePro is susceptible to multiple Cross-Site Scripting vulnerabilities. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. An advisory and updates which address these issues are available. Contact the vendor for more information.


http://www.securityfocus.com/bid/36721


3) Websense Email Security Cross-Site Scripting and HTML Injection Vulnerabilities


Websense Email Security is susceptible to Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation of these issues could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/36741


4) Achievo Multiple Vulnerabilities


Achievo is susceptible to multiple vulnerabilities including Cross-Site Scripting, SQL Injection, and HTML Injection. Successful exploitation of these issues could be used to give an attacker the means to access or modify backend database contents, alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for additional information.


http://www.securityfocus.com/bid/36661
http://www.securityfocus.com/bid/36660


5) NaviCOPA Source Code Information Disclosure Vulnerability


NaviCOPA is susceptible to a source code information disclosure vulnerability. An attacker can leverage this vulnerability to retrieve certain files from the affected system in context of the web server process. A fix has not yet been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/36705

Top Five Web Application Vulnerabilities 9/14/09 - 9/27/09

1) Novell GroupWise WebAccess Cross-Site Scripting Vulnerability


Novell GroupWise WebAccess is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this vulnerability to execute script code in the browser of an unsuspecting user in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/36437


2) IBM Lotus Quickr Multiple HTML Injection Vulnerabilities


IBM Lotus Quickr is susceptible to multiple HTML Injection vulnerabilities. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Fixes which address these vulnerabilities are available. Contact the vendor for more details.


http://www.securityfocus.com/bid/36527


3) IBM WebSphere Application Server Eclipse Help Cross-Site Scripting Vulnerability


IBM WebSphere Application Server (WAS) is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability have been released. Contact the vendor for further information.


http://www.securityfocus.com/bid/36455


4) OSSIM SQL Injection, Cross Site Scripting and Unauthorized Access Vulnerabilities


OSSIM is vulnerable to multiple vulnerabilities including SQL Injection, Cross-Site Scripting, and unauthorized access. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or be utilized in conducting additional database attacks. Updates which resolve these issues are available. Updates which resolve these issues are available. Contact the vendor for additional details.


http://www.securityfocus.com/bid/36504


5) IBM Lotus Connections 'simpleSearch.do' Cross-Site Scripting Vulnerability


IBM Lotus Connections is susceptible to a Cross-Site Scripting vulnerability. This can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this issue are available. Contact the vendor for more information.


http://www.securityfocus.com/bid/36513

60% of Internet attacks now conducted against web applications

New studies have gone a long way in confirming that certain web application security trends are accelerating. The SANS Top Cyber Security Risks report reveals that a full 60% of Internet attacks are now conducted against web applications. It's no longer unpatched operating systems that provide attackers with their main point of entry. In fact, patches for known flaws in operating systems are installed twice as fast as those for web application security vulnerabilities. Apparently, there are so many custom and open-source applications on a typical network that most admins can't even catalog them, let alone update them. And with more than 80% of newly-reported software flaws in common web applications, the numbers will only get worse. Despite the rise in web application attacks, organizations are not doing the simple things to improve their security by scanning for common flaws such as SQL Injection and Cross-Site Scripting. Scanning can go a long way towards preventing your servers from hosting malicious content which can infect users with malware--yet many organizations still bypass this critical step. And it's legitimate websites that have been compromised and are serving as malware servers that are now doing the most damage. Just ask the New York Times.

 

 

 The SANS report is available at http://www.sans.org/top-cyber-security-risks/

 

 

 

Top Five Web Application Vulnerabilities 8/31/09 - 9/13/09

1) Ruby on Rails Form Helpers Unicode String Handling Cross-Site Scripting Vulnerability

 

Ruby on Rails is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which address this issue have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/36278

 

2) IBM Lotus Domino Web Access Cross-Site Scripting Vulnerability

IBM Lotus Domino Web Access (iNotes) is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this issue have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/36292

 

3) Mozilla Bugzilla Multiple Remote Vulnerabilities

 

Bugzilla is susceptible to several remote vulnerabilities including multiple instances of SQL Injection and a password disclosure vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. The information disclosure vulnerability can be leveraged to steal user passwords. Fixes which address these issues have been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/36373 (‘Bug.create()’ WebService Function SQL Injection Vulnerability)
http://www.securityfocus.com/bid/36372 (URL Password Information Disclosure Vulnerability)
http://www.securityfocus.com/bid/36371(‘Bug.search()’ WebService Function SQL Injection Vulnerability)

 

4) IBM Lotus Notes RSS Reader Widget HTML Injection Vulnerability

 

IBM Lotus Notes is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. This issue has reportedly been resolved in a hotfix. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/36305

 

5) DotNetNuke Multiple Cross-Site Scripting Vulnerabilities

 

DotNetNuke is susceptible to multiple Cross-Site Scripting vulnerabilities. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.   Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/36274

 


 

One vulnerability can be your downfall

Court papers recently filed in conjunction with the indictment of Albert Gonzalez reveal that SQL Injection attacks were behind the data breach that allowed hackers to steal massive amounts of data from Heartland Payment Systems, TJX, and other businesses. Over 130 million credit and debit card numbers were ultimately obtained, all because of the failure in a web application to properly validate user-supplied data. The level of knowledge required to enact such devastating attacks continues to plummet, and the criminal desire behind them continues to rise. It's amazing what could have been prevented with proper application security in place.

 

 

This attack also perfectly illustrates how exploitation techniques have changed in just the past few past years. Once upon a time, hackers were content to steal the data from a database and then leave. Now, they infect the system with malicious software and perpetuate attacks across a much larger time frame, exponentially escalating the damage. The harm that can come from one relatively simple exploitable hole is phenomenal. Keeping your web applications secure has never been more important.  

 

http://www.networkworld.com/news/2009/082409-us-says-sql-injection-caused.html

Top Five Web Application Vulnerabilities 8/03/09 - 8/16/09

1) Oracle Config Management Multiple SQL-injection Vulnerabilities


Oracle Config Management is susceptible to multiple SQL Injection vulnerabilities.  SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system.  Successful exploitation of these vulnerabilities requires  'Valid Session' privileges. Updates which address these issues are available. Contact the vendor for additional information.


http://www.securityfocus.com/bid/35692
http://www.securityfocus.com/bid/35676


2) SAP NetWeaver Application Server 'uddiclient/process' HTML Injection Vulnerability


SAP NetWeaver Application Server is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve this issue are available. Contact the vendor for more details.


http://www.securityfocus.com/bid/36034


3) WordPress 'wp-login.php' Admin Password Reset Security Bypass Vulnerability


WordPress is susceptible to an admin password reset security bypass vulnerability. Successful exploitation will allow an attacker  to reset the administrator password of the application. Updates which address this issue have been released. Contact the vendor for more information.


http://www.securityfocus.com/bid/36014


4) SQLiteManager 'main.php' Cross Site Scripting Vulnerability


SQLiteManager is susceptible to a Cross-Site Scripting vulnerability.  An attacker can leverage this issue to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. A fix has not yet been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/36002


5) WordPress Plugin WP-Syntax Remote PHP Code Execution Vulnerability


The WP-Syntax plugin for WordPress is susceptible to a remote code execution vulnerability. Attackers can leverage this issue to execute arbitrary PHP code within the context of the affected webserver process. A fix has not yet been released. Contact the vendor for additional details. 


http://www.securityfocus.com/bid/36040


 

Top Five Web Application Vulnerabilities 5/26/09 - 6/07/09

1) Sun Java System Web Server Reverse Proxy Plug-in Cross-Site Scripting Vulnerability


Sun Java System Web Server is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability have been released. Contact the vendor for further details.


http://www.securityfocus.com/bid/35204


2) PHP-Nuke 'main/tracking/userLog.php' SQL Injection Vulnerability


PHP-Nuke is susceptible to a SQL Injection vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. A solution has not yet been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/35117


3) phpBugTracker Multiple SQL Injection Vulnerabilities


phpBugTracker is susceptible to multiple SQL Injection vulnerabilities.  SQL Injection can allow an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Solutions have not yet been released. Contact the vendor for more information.


http://www.securityfocus.com/bid/35101
http://www.securityfocus.com/bid/35125


4) Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness


Apache Tomcat is susceptible to a username-enumeration weakness because different login results can be exploited to determine whether usernames are valid. Updates which resolve this issue are available. Contact the vendor for additional details.


http://www.securityfocus.com/bid/35196


5) IBM FileNet Content Manager Cached Subject Security Bypass Vulnerability


IBM FileNet Content Manager is susceptible to a security bypass vulnerability that may allow access to sensitive information. Fixes which address this issue have been released. Contact the vendor for further information. 


http://www.securityfocus.com/bid/35228

Top Five Web Application Vulnerabilities 4/28/09 - 5/10/09

1) Multiple Symantec Products Log Viewer Script Injection Vulnerabilities


Multiple Symantec Products are susceptible to browser-exploitable script injection vulnerabilities due to improper sanitization of user-supplied input used in dynamically created content.  Successful exploitation would give an attacker the means to steal cookie-based authentication credentials, or simply alter how the site appears.  Other attacks are likely possible.  Updates which resolve these issues have been released. Contact the vendor for additional details.


http://www.securityfocus.com/bid/34669


2) Citrix Web Interface Unspecified Cross-Site Scripting Vulnerability


Citrix Web Interface is susceptible to a Cross-Site Scripting vulnerability.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this issue have been released. Contact the vendor for more information.


http://www.securityfocus.com/bid/34761


3) IceWarp Merak Mail Server Multiple Vulnerabilities


IceWarp Merak Mail Server is susceptible to multiple vulnerabilities including SQL Injection, Cross-Site Scripting, and other input validation issues. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or be utilized in conducting additional database attacks. Updates which resolve these issues have been released. Contact the vendor for further information.


http://www.securityfocus.com/bid/34820
http://www.securityfocus.com/bid/34825
http://www.securityfocus.com/bid/34827
http://www.securityfocus.com/bid/34823


4) GlassFish Enterprise Server Multiple Cross-Site Scripting Vulnerabilities


GlassFish Enterprise Server is susceptible to multiple Cross-Site Scripting vulnerabilities. Cross-Site Scripting occurs when dynamically generated web pages display user input, such as login information, that is not properly validated, allowing an attacker to embed malicious scripts into the generated page and then execute the script on the machine of any user that views the site.  Updates which resolve these issues are available.  Contact the vendor for additional information.


http://www.securityfocus.com/bid/34824


5) Jetty Cross-Site Scripting and Information Disclosure Vulnerabilities


Jetty is susceptible to a Cross-Site Scripting and an information disclosure vulnerability. These vulnerabilities could be exploited to execute code in the browser of an unsuspecting user, steal cookie-based authentication credentials, or access sensitive information.  A fix which resolves these vulnerabilities has been released. Contact the vendor for more details.


http://www.securityfocus.com/bid/34800

Paris Hilton's Web Site Infecting Users

Paris Hilton’s website was infected with some pretty nasty malware over the past weekend. ScanSafe (who discovered the compromise) said that over 15,000 sites were detected to have this malware installed, including an ad on MLB.com.   So far, most AV products aren't stopping it, either. Visitors to  parishilton.com were prompted with a sham pop-up that they needed an 'upgrade' to continue browsing the site.  Both the 'Cancel' and 'OK' options caused the malware to be downloaded. According to ScanSafe, only a hard quit (CTRL-ALT-DELETE) would stop it from occurring (by closing it via the Task Manager? Not sure what that really means).  Basically, an I-frame was embedded in the site, which pointed to a .pdf on a malicious site (you69tube.com). Once the downloader was executed by clicking ‘OK’ or ‘Cancel’, a Trojan rootkit was installed on the user’s system.  A normal user would have had their banking credentials and personal information put at risk (software designed to capture banking information was the first malicious package installed). Enterprise users risked having their HTTP and network traffic redirected and intercepted. That's just as bad as it sounds. The working theory now is that the original vulnerability in the site was in the open CMS package Joomla...more than likely via our old friend, SQL Injection.   Seems the operators of the site haven’t weren’t keeping up to date with their patches. <br><br>
How can you protect yourself? For starters, businesses should block youtube69.com. Users should realize AV products are no guarantee against infection and should stick to trusted sources when upgrading anything. Be aware when visiting obvious targets (celebrity sites, etc.) of the potential risks.

 

 

http://www.scmagazineus.com/Paris-Hiltons-website-infects-users-with-data-stealing-trojan/article/123951/

The CWE/SANS Top 25 Most Dangerous Programming Errors

This week saw the release of the “Top 25 Most Dangerous Programming Errors” list from MITRE and SANS.  At first skim, I nearly discarded it as just an effort to pad resumes—after all, do we really need another “top X” list (every group with a barely pronounceable acronym has their own)? Weighing heavily into that opinion is that of the Top 25, there is some serious overlap that, I think, won’t really help developers.

 

For example, CWE-20 is “Improper Input Validation” and CWE-116 is “Improper Encoding or Escaping of Output.”  If developers fully understand these two and the associated risks of not doing them, they will almost certainly resolve several of the other 25, including:


-          CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')


-          CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')


-          CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')


-          CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

 

Isn’t “Failure to Preserve SQL Query Structure” just another way of saying that you didn’t properly filter and encode tainted data? MITRE’s Steve Christey, in discussing the CWE Top 25, says the following about mixed reviews on including both input validation and encoding:

 

Part of it seems to come down to different ways of looking at the same problem. For example, is SQL injection strictly an input validation vulnerability, or output sanitization/validation/encoding or whatever you want to call it? In a database, the name "O'Reilly" may pass your input validation step, but you need to properly quote it before sending messages to the database. And the actual database platform itself has no domain model to "validate" whether the incoming query is consistent with business logic.


I’m not disagreeing with Steve that they should both be included, but rather that they should be included rather than the CWE numbers listed above.  After all, the programming error is not properly filtering and/or encoding tainted data, the resulting vulnerability is SQL injecting, Cross-Site Scripting, etc.

 

One other thing struck me as odd, which is the “Remediation Cost.”  This seems like sheer nonsense—it’s not something a document can define across the board without regard to the underlying application or technology, not to mention the (corporate) environment one has to work in. Is input validation remediation cost really “Low” when you might have to first educate your developers, make sure they understand the context and application logic (to make smart decisions about proper changes), and finally go through testing to ensure nothing is broken as a result? Likely not.

 All that said—and those are things that may be changed in future versions of the list—my opinion has softened to where I’m now in “mixed bag” mode. This is a 1.0 release of a document, and while the authors certainly hope it is perfect, the first release of anything almost definitely isn’t.  

 


The truth is that any effort which gets more security knowledge into the heads of developers is a Good Thing and, hopefully, successful at causing applications to be more secure than they were. Also, any type of release that makes headlines outside of the security industry—where it may trigger a positive reaction in a programmer or developer—is definitely a win for security.  Certainly New York State took notice, now let’s hope their software suppliers do as well.

 

These are just a few issues that came to mind when reading the list. Gary McGraw wrote “Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work,” and while I don’t agree with everything he says, there are a few that make reading the list worthwhile.  I’ll point out #8:


 



Automated tools can find bugs — let them. Teaching all developers the 700+ bad things in the Common Weakness Enumeration (or the even larger set of permutations allowed by languages like C++) is a futile exercise. We can start by using static analysis tools to remember all of the potential bugs and alert us to their presence.


I wholeheartedly agree with the second part of this one, and not just because I work for a company that sells automated security tools. With the complexity and sheer volume of code in existence these days, automated tools used throughout the dev lifecycle are a cost effective way to catch these issues.

 

I disagree with Gary that educating developers is a futile exercise—in fact it should be a requirement in every shop and school. Even if the developers are still not great at avoiding the problems in the first place, when the automated tool spits out a list of potential issues, an educated programmer will need to determine if/how/where to make a code change to fix the issue. Improper fixes have lead to dozens of incomplete bug remediations, and in some cases, additional vulnerabilities.

 

Anyway, to summarize (since I rambled on), I think the CWE Top 25 Programming Errors list is a little flawed, but given the attention it has received this week I can only applaud the efforts of MITRE and SANS for drawing more attention to security. After all, we’re all (ok, mostly) working toward the same goal: secure applications.

 

 

Finding SQL Injection with Scrawlr

 Yes, we know that other blogs on this issue have included this comic, but it's just too perfect to not reference it


You have likely been tracking the mass SQL Injections that are currently sweeping through the net. Just last night I was shopping on www.ihomeaudio.com when I noticed they had been injected (they have since fixed their site). HP started to observe these attacks in January. They spread to over 500,000 sites by April before calming down and then picking up again in May. Most of the sites hit were initally Microsoft IIS ASP applications, causing many security companies to mistake this for some sort of new vulnerability in IIS and leading Microsoft to research the possibility, but alas, it's just our old friend, SQL Injection. Indeed we now see this attack hitting ASP and PHP sites and thanks to Google, it's easy to see just which sites out there have been hit.


While we were closely following the situation, the nice folks at Microsoft contacted us to see if we could work together to help people identify and cope with this issue. Together we quickly developed an action plan. The Microsoft Security Response Center (MSRC) was in a tough spot, hundreds of thousands of ASP sites were getting hacked, yet the vulnerability wasn't something Microsoft could release a patch for. SQL Injection is an issue that occurs because of poorly written web code interfacing with the web sites backend database and the solution was much more complicated than a simple patch. Developers were going to have to learn about security and were going to have to patch their code if they were going to solve this. Microsoft's Security Vulnerability Research & Defense has a blog about this problem as well where they share Microsoft's recomendations for this problem.


Now if you are no stranger to web security, you might be saying "well duh" right about now. Unfortunately to at least 500,000 sites on the Internet this concept is still pretty new and if you are one of the folks who are just now learning what SQL Injection is, I highly recomend you read HP's Web Security Research Group white papers on verbose and blind SQL injection located in our HP application security resource library.


Introducing HP Scrawlr



 



When Microsoft contacted us, they asked us to equip their customers with the tools necessary to quickly find SQL Injection vulnerabilities in their sites. HP's application security software, DevInspect, QAInspect and WebInspect all find SQL Injection and countless other security vulnerabilities. DevInspect can even inspect your source code for SQL Injection as well and guide developers through the process of fixing their code. But what if you need to just quickly look for SQL Injection before you decide how you are going handle the issue? We needed something quick, highly accurate and easy to download and install.


Scrawlr, developed by the HP Web Security Research Group in coordination with the MSRC, is short for SQL Injector and Crawler. Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!


Technical details for Scrawlr



  • Identify Verbose SQL Injection vulnerabilities in URL parameters

  • Can be configured to use a Proxy to access the web site

  • Will identify the type of SQL server in use

  • Will extract table names (verbose only) to guarantee no false positives


Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool



  • Will only crawls up to 1500 pages

  • Does not support sites requiring authentication

  • Does not perform Blind SQL injection

  • Cannot retrieve database contents

  • Does not support JavaScript or flash parsing

  • Will not test forms for SQL Injection (POST Parameters)


Download Scrawlr


You can download Scrawlr by visiting the following link: https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?mcc=DNXA&jumpid=in_r11374_us/en/large/tsg/w1_0908_scrawlr_redirect/mcc_DNXA.


Scrawlr is offered as-is and is not a supported product. Assistance may be available from other Scrawlr users in our online Scrawlr forum located at http://www.communities.hp.com/securitysoftware/forums/198.aspx.


You can learn more about the HP Web Application Security Group and the HP Application Security Center by visiting our Security Community site at www.communities.hp.com/securitysoftware/ or by visiting our product information page at www.hp.com/go/securitysoftware/

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation