[Owasp-cincinnati] FW: [Owasp-dotnet] Fwd: FW: [WEB SECURITY] Announcing Scrawlr: SQLInjector and Crawler

Marco M. Morana marco.m.morana at gmail.com
Tue Jun 24 22:45:25 EDT 2008

Scrawlr announcement - Microsoft / HP Collaborate on SQL Injection tool:



I haven't checked out the tool yet, if anyone has, please let the list know.






> From: billy.hoffman at hp.com
> To: websecurity at webappsec.org
> Date: Tue, 24 Jun 2008 21:35:01 +0000
> Subject: [WEB SECURITY] Announcing Scrawlr: SQL Injector and Crawler
> In response to all the Mass SQL Injection attacks this year, Microsoft
approached HP and the Web Security Research Group (formerly SPI Labs) for
assistance. While there was nothing they could patch, Microsoft wanted to
provide tools to help developers find and fix these issues. After a month of
development HP created Scrawlr.
> Scrawlr (short for SQL Injector and Crawler) is a free tool that will
crawl a website while simultaneously analyzing the parameters of each
individual web page for SQL Injection vulnerabilities. Scrawlr was designed
specifically to help protect against these mass injection attack which are
using Google queries to find older web applications and automatically
injection them. As such, Scrawlr crawls a websites using the same techniques
as a search engine: it doesn't keep state, or submit forms, or execute
JavaScript or Flash. This Scrawl is finding and auditing the pages that
would have been indexed by the search engines.
> To reduce false positives Scrawlr provides proof of the vulnerability
results by displaying the type of backend database in use and a list of
available table names. There is no denying you have SQL Injection when I can
show you table names!
> Microsoft Announcement here:
> HP WSRG Blog:
> Download here: https://download.spidynamics.com/Products/scrawlr/
> Enjoy,
> Billy Hoffman
> --
> Manager, HP Web Security Research Group
> HP Software - Application Security Center
> Direct: 770-343-7069
> Join us on IRC: irc.freenode.net <http://irc.freenode.net/>  #webappsec
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA


Earn cashback on your purchases with Live Search - the search that pays you
back! Learn More


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080624/054f9537/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00109.txt
Url: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080624/054f9537/attachment.txt 

More information about the Owasp-cincinnati mailing list