Category:OWASP Scrubbr

= What is Scrubbr? = Scrubbr is a BSD-licensed database scanning tool that checks numerous database technologies for the presence of possible stored cross-site scripting attacks. The tool was partialy inspired by "Scrawlr", a trimmed-down version of HP's WebInspect which was released for free after the so-called "asprox" mass-SQL injection bot exploited hundreds of thousands of insecure ASP sites.

In a similar vein, Aspect Security generously donated Scrubbr to OWASP to help people get some visibility into their databases and check for malicious data.

What can Scrubbr do for me?
If you can tell Scrubbr how to access your database, it will search through every field capable of holding strings in the database for malicious code. If you want it to, it will search through every table, every row, and every column. This will be very slow on large enterprise databases, but its very useful to have assurance that there is no malicious data anywhere in the system.

Scrubbr can detect input that doesn't match up with an AntiSamy policy file. There is a subtle difference between "matching an AntiSamy policy" and being "detected as an attack."

There are numerous tools out that *detect* XSS attacks in different contexts better than AntiSamy. The most prominent and peer-reviewed are NoScript (http://noscript.net) and PHPIDS (http://php-ids.org/category/PHPIDS/). However, this is not strictly what AntiSamy does. AntiSamy checks if rich input that is passed in is allowed according to a policy file.

Chances are that there is some input in your database that looks like rich input how we in the web world think about it, but actualy isn't. For example, if someone writes the following in their profile comment:

"Hey, I sure am gonna miss seeing Sarah Palin on TV all the time ".

Obviously the user intended the  string to express a grin emotion, but that unfortunately looks like rich input, and since AntiSamy uses a whitelist for higher assurance, it will be flagged.

We are always looking to improve our engine, and we are working with the PHPIDS group to possibly invoke their ruleset in order to provide less false positives.

With all of that being said, AntiSamy does an excellent job in most situations and will still detect the vast majority of stored XSS attacks, depending on the injection context.

What can't Scrubbr do for me?
Scrubbr can't find XSS vulnerabilities in your web application. It can only detect data that doesn't follow your site's policy for input that is in your database. If you don't have a policy for rich input, then start with the Slashdot policy file and add what you think you need from the other policy files. More information on policy files can be found on the OWASP AntiSamy page:

http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

Once you have a policy in place, then you can enfoce it with Scrubbr.

= How do I get Scrubbr? =

You can download the Scrubbr installer from the project's Google Code downloads page.

= Contacting the Scrubbr group = If you would like to request a feature, let us know about a bug, or provide a patch, please let us know on the Google Code issue tracker for the project:

http://code.google.com/p/owaspscrubbr/issues

General questions can be e-mailed to the Scrubbr mailing list owasp-scrubbr@lists.owasp.org. If you have a question about Scrubbr development, contact the owasp-scrubbr-devel@lists.owasp.org mailing list.

= Credits = Scrubbr was primarily developed by Arshan Dabirsiaghi (arshan.dabirsiaghi@aspectsecurity.com) of Aspect Security with help from Brandon Devries (brandon.devries@gmail.com). Other folks contributed in their own ways, including:

- Dave Wichers, COO, Aspect Security - Jeff Williams, CEO, Aspect Security - Mike Fauzy, Senior Application Security Engineer, Aspect Security - Marcin Wielgoszewski, Security Consultant, TSSCISecurity.com