The mass SQL injection attacks we talked about in in several posts, being mainly targeted to ASP sites running on Microsoft IIS and backed by Microsoft SQL Server, gathered lots of (quite undeserved) bad press to Microsoft.
Therefore the Microsoft Security Response Center felt the need to do something more than saying "blame developers for their poor coding practice", and asked the HP Web Security Research Group (formerly SPI Labs) to create a tool helping site owners to identify their SQL injection holes.
So now, after one month of development, HP is announcing Scrawlr, the "SQL Injector and Crawler".

Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. [...] It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!

Scrawl can be thought as a free version of the professional scanners in HP's products portfolio, with some limitations making it suitable for self-diagnosis of your site in the specific context of this kind of non-targeted massive attacks, which usually inject URL query parameters from links, rather than POST requests from forms. In facts, it

  • Will only crawl up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

Scrawl can be dowloaded here.
Of course, once you've found your site is vulnerable (and if you're in doubt, it's 99% likely to be) you still need to plug your holes.
If you've got the budget for a professional code review and cleanup service, just ask :)

6 Responses to “Got SQL Injections? Free HP Tool Tells You.”

  1. #1 links for 2008-06-25 | says:

    [...] » Got SQL Injections? Free HP Tool Tells You. Thanks HP. (tags: security programming webdesign sql) [...]

  2. #2 Российские мусульмане опасаются клерикализации общества says:

    [...] Got SQL Injections? Free HP Tool Tells You. [...]

  3. #3 Серия А: Рома не смогла переиграть Кальяри says:

    [...] Got SQL Injections? Free HP Tool Tells You. [...]

  4. #4 Adam says:

    Can it be used to find vulnerabilities in other sites than your own?

  5. #5 Giorgio says:

    Why not?
    On the other hand, if you're thinking about "malicious" usages, its limitations are such that if someone really needs it to find SQL vulnerabilities, chances are that he wouldn't be able to exploit them.

  6. #6 Windows: Check For SQL Vulnerabilities With HP Scrawlr | Hackosis says:

    [...] Scrawlr from the HP site. [via] Tags: Download, HP, Scrawlr, SQL injection, Vulnerability, Web development, Windows [...]

Bad Behavior has blocked 723 access attempts in the last 7 days.