Software analyzing (crawling) sites for SQL inject

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Software analyzing (crawling) sites for SQL inject

Post by papa »

Hi,

I'm currently looking for a software that can analyze/crawl a couple of hundred websites and look for security holes a' SQL injection.

Tried a free trial from HP (Scrawl) that worked decently but had a limit of 1500 files per site and that wasn't enough unfortunately.

Just wanted to see if anyone had experience or knowledge of any similar software that could help?

Thanks (Hope I posted this in the right forum)
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Software analyzing (crawling) sites for SQL inject

Post by josh »

Problem with this is there's too many ways for the injection to enter the SQL other than GET paramaters, there's cross site scripting, cookies, forms, request header faking, etc...

I know there's tools that sit between the application and the DBMS and look for SQL injection but in practice they didn't appear to work too well. What happened to just escaping your variables?
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: Software analyzing (crawling) sites for SQL inject

Post by papa »

Forgot to mention that this might be a little of topic for a PHP forum.

It's ASP sites which I should have mentioned of course.


One problem is that we don't have the source code for most part of the sites so some kind of crawler would help a lot. The reason that there are so many files is because a web publishing tool is being used and the company who made it is no longer...
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Software analyzing (crawling) sites for SQL inject

Post by josh »

No such tool is going to be as bulletproof as you probably need, too much opportunity for false positive.
User avatar
papa
Forum Regular
Posts: 958
Joined: Wed Aug 27, 2008 3:36 am
Location: Sweden/Sthlm

Re: Software analyzing (crawling) sites for SQL inject

Post by papa »

Probably not but it's better than nothing. Scrawl found one hole that we've fixed so so at least it helps a little bit. :)
Post Reply