This just in from the land of "Beenthere", a city in the great state of "Donethat". Scrawlr is a new tool that can "detect" SQL injection flaws in web sites. Well... sort of. It doesn't detect blind injection points, it doesn't support authentication, it has a limitation on the number of pages it will crawl, and it won't even execute POSTS. That's about as useless as a no armed man playing basketball. Unless his name is Pele, he's pretty worthless.

While I can't fault HP and the SpiDynamics team for releasing the tool for free, I can certainly say it's all been done before, and done better by others. I just did a quick Google search for "SQL Injection Tools" and the very first link contains no less than 10 tools that claim to both find and exploit SQL injection flaws. I know for a fact that at least one of these tools exploits blind injections and supports most authentication and POSTs (I helped debug it, so I speak first hand).

To summarize, this tool release just sounds like a half-assed attempt to capitalize on the recent "Mass SQL Injection" attacks that have occurred on the Internet. Come on HP, get your stuff together. This is at best a marketing effort wrapped in technical freebie clothing. Everyone should feel free to use the tool if it will help them, but know that there are better free solutions out there.