29 June 2008 View Comments

Scrawlr – Scanner for SQL Injection

Scrawlr is short for SQL Injector and Crawler, a tool developed by the HP Web Security Research Group in coordination with the Microsoft Security Response Center in response to the widespread SQL injection attacks on the web.

“Scrawlr will crawl a website while simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr is lightning fast and uses our intelligent engine technology to dynamically craft SQL Injection attacks on the fly. It can even provide proof positive results by displaying the type of backend database in use and a list of available table names. There is no denying you have SQL Injection when I can show you table names!”

Key Features of Scrawlr include:

  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives

Scrawlr which is a free tool has a few limitations which are it’s crawl only upto 1500 pages, doesn’t support Blind SQL injection and will not test for Post parameters for SQL injection. Overall even with these limitations, it’s still a useful tool to check your sites to see if you’re safe from SQL injections.

Links:
Download Scrawlr
Scrawlr Forum

via: communities.hp.com

Zemanta Pixie

Tags: , ,

View Comments to “Scrawlr – Scanner for SQL Injection”

  1. Anuj Seth 29 June 2008 at 2:05 pm #

    Nice one! Thanks for the tip…

  2. Henry 30 June 2008 at 2:13 pm #

    We tested this tool against our servers with dotDefender, no attack could go through.
    The dotdefender is a great sql injection blocker tool. Sql Injection attacks are not the only attacks that it blocks, there are many more.
    You can check and download their product for 30 days evaluation. we tested it and very happy with the significantly decreased number of attacks on our production servers.

  3. Mike 17 July 2008 at 12:43 am #

    Nice post, I think I am going to have to recommend this product to my host who was recently hacked and injected.

    Thanks!

    Mike

    instant host, domain name and whois search tool

  4. anonymous 27 May 2010 at 9:45 am #

    WebCruiser – Web Vulnerability Scanner

    WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.

    It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!

    Function:
    * Crawler(Site Directories And Files);
    * Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
    * POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
    * GET/Post/Cookie Injection;
    * SQL Server: PlainText/Union/Blind Injection;
    * MySQL/DB2/Access: Union/Blind Injection;
    * Oracle: Union/Blind/CrossSite Injection;
    * Post Data Resend;
    * Administration Entrance Search;
    * Time Delay For Search Injection;
    * Auto Get Cookie From Web Browser For Authentication;
    * Report Output.

    System Requirement: Windows with .Net Framework 2.0 or higher

    http://sec4app.com/

    http://websecurityscanner.blogspot.com/


Leave a Reply

blog comments powered by Disqus