And Now For A Few Words About HP’s “Scrawlr”

Mike Tracy | June 26th, 2008 | Filed Under: Defenses, Malware, New Findings

1.

Some of my favorite reads (there are others) have recently written about about Scrawlr and some of what I have read has been critical. Critical enough? Depending on your level of pedantry with respect to webapp security and/or free software, probably not.

Stop that. Right now. Overlook the limitations of the tool that was released, realize that this is a closely targeted thing designed to help alleviate a specific problem. Go back and think a little harder about what is going on and why this is actually A Good Thing(tm).

This scanner, released as part of the advisory, is specifically designed to help people who run websites that have been targeted by this ongoing and massive SQL injection attack shore things up. The tool has limitations. Quoted from a text file included with the Scrawlr package:

This is a free tool and is intended to find SQL Injection vulnerabilities on pages that hackers can discover using a simple crawler or google query. This application mimics a search engine crawler and lacks the advanced crawling and auditing features of tools such as WebInspect, DevInspect, QAInspect, and AMP. Thus Scrawlr will only find SQL Injection vulnerabilities on GET Parameters; Scrawler will not submit forms, nor audit them. The list below summarizes the limitations:

• 1500 Max Crawled URLs
• No Script parsing during crawl
• No Flash parsing during crawl
• No form submissions during crawl (No POST Parameters)
• Only simple proxy support
• No authentication or login functionality
• Does not check for blind SQL injection

The scanner is built to look for things being indexed by search engines. If those sites are fixed, 99.999% of the problem should go away.

Trying to compare Scrawlr to a full blown SQL Injection scanning tool is like comparing a letter opener to a Swiss Army Knife. Sure, you can do other things with a letter opener (and some of you probably want to slit my throat for that simile. That’s fine, use the knife) —- but its stated purpose is to open letters.

2.

The limitations aren’t that bad. Take the biggest one, authentication. I tried it. For the vast majority of sites, “authentication” means “HTTP forms that set cookies”. For those types of sites, it was easy to get the tool to operate against sites “post authentication”. (I didn’t try for basic/ntlm/digest —- I don’t have a ready test subject. I’d be surprised if it worked.)

Using burp suite do the following:

1. Login to the application using a web browser
2. record the Cookie: header
3. in burp go into the Proxy -> Options tabs
4. go to the “match and replace” section
5. add a new header
   • Type: request-header
   • Match: ^Accept.*$
   • Replace: Cookie:
6. point Scrawlr at your running proxy

Basically, just replacing the Accept: */* header that Scrawlr sends with a Cookie header.

Yay! A free tool that people can use to see if their sites are vulnerable to mischief. Plus! A free code scanner and a free sort of maybe web application firewall to help them protect themselves. Your old ASP sites are now safe from all this ruckus.

3.

I spent some time talking about this with colleagues (colleague n. drinking buddy) at ChiSec last night [if you weren’t there it was a blast and you should come to the next one -ed.] and as much as I love the idea behind this, consternation is bubbling beneath the surface.

What I’m having trouble understanding are the motivations of Microsoft and HP and their estimation of how effective this will actually be. This is either Defense In Depth’s red-headed stepchild cum marketing ploy or… Not sure I actually see an “or”. Half-baked code analyzer (ok I don’t really know that but…)? Check. Web Application Firewall Lite? Check. Hey! Get the guys at SPI to throw in a cripple-ware SQL injection scanner and we’re all set to at least appear like we are trying in some way to maybe have a chance at helping a person or two.

Great!

I want a count of the owners of target audience websites who actually read the advisory, understand it, realize they are affected and then actually use any of the schwag provided to help them solve their problems.

Microsoft seems like a good egg for going to all this trouble and HP gets their name on it. Maybe people will come sniffing around for a “real” security tool or two. Humbug I say!

In the end, motivations are incidental. I’m really just interested in seeing how effective this is.