Page 1 of 1
Software analyzing (crawling) sites for SQL inject
Posted: Wed Oct 29, 2008 3:14 am
by papa
Hi,
I'm currently looking for a software that can analyze/crawl a couple of hundred websites and look for security holes a' SQL injection.
Tried a free trial from HP (Scrawl) that worked decently but had a limit of 1500 files per site and that wasn't enough unfortunately.
Just wanted to see if anyone had experience or knowledge of any similar software that could help?
Thanks (Hope I posted this in the right forum)
Re: Software analyzing (crawling) sites for SQL inject
Posted: Wed Oct 29, 2008 4:30 am
by josh
Problem with this is there's too many ways for the injection to enter the SQL other than GET paramaters, there's cross site scripting, cookies, forms, request header faking, etc...
I know there's tools that sit between the application and the DBMS and look for SQL injection but in practice they didn't appear to work too well. What happened to just escaping your variables?
Re: Software analyzing (crawling) sites for SQL inject
Posted: Wed Oct 29, 2008 4:40 am
by papa
Forgot to mention that this might be a little of topic for a PHP forum.
It's ASP sites which I should have mentioned of course.
One problem is that we don't have the source code for most part of the sites so some kind of crawler would help a lot. The reason that there are so many files is because a web publishing tool is being used and the company who made it is no longer...
Re: Software analyzing (crawling) sites for SQL inject
Posted: Wed Oct 29, 2008 12:17 pm
by josh
No such tool is going to be as bulletproof as you probably need, too much opportunity for false positive.
Re: Software analyzing (crawling) sites for SQL inject
Posted: Mon Nov 03, 2008 3:06 am
by papa
Probably not but it's better than nothing. Scrawl found one hole that we've fixed so so at least it helps a little bit.
