Tuesday, June 24, 2008

HP and MS give us a new SQL Injection tool

| Armando Romeo |

Just downloaded it and trying it while I write.
After the recent Mass SQL injection attacks Microsoft decided to call HP (who owns SPI labs) to create a tool to detect potential SQL injections in a site

The tool name is Scrawlr and is downloadable from HP here.

It first acts as a crawler (Sql injection Crawler).
Then makes a list of dynamic pages and finally tries to inject sql injection payload to proof the existence of the vulnerability

I must say it is nothing impressive. It is limited in the number of links crawled (it picked up just a little fraction of the actual link in my local Joomla installation).

I even created a simple page with a basic blind SQLi vulnerability but it didn't recognize the injection.
It's just a matter of comparing two outputs based on two different attack payloads. But nothing. It seems the tools only looks for known SQL errors in the returned page and no blind sql injection detection.

Further tests should be done but it's 2 am in Italy, so I hope to read your comments about the tools when I wake up...

Free Security Magazines