Great tool for finding SQL Injection vulnerabilities

I support a lot of large Classic ASP sites written years ago and every once in awhile they get hit with SQL Injection attacks. I grep through the log files, find out where they got in and patch it up and any other places where the same code is used. One site I’ve probably audited five times but it seems like I always miss a hole.

The HP Security Laboratory released a new piece of free (as in beer) software today called Scrawlr that scans your site and finds any openings. I ran it on a few of the sites I support and it found a couple more holes that when I looked at them, weren’t obvious injection points. The sites are all patched up now and I can sleep again.