Re: Required Help on Automated Tools

[Marian Rudzynski <mr () impaled org>]

Prodigi Child wrote:
> The problem with relying *only* on automated tools is that you may be
> missing some attack vectors that an automated tools may not exploit (such as
> the PCI example that Matt brought up). I think the best way to do these
> tests is a happy medium of using the automated tools to take care of the
> obvious stuff like web server vulnerabilities, combined with manual methods
> like manually looking at the responses from the server, and using manual
> tools like netcat, etc. The approaches should be complementary, and I can't
> think of any reason to only rely on one or the other.
>
>
> Mike
>
>   
PCI DSS assessment is a very good example for all sorts of applications 
as all they do is try to enforce good practice.

On a PCI setup we did, we only ran nmap and nessus for the sake of 
including such tests but everything else was done manually.

Especially when testing a web application, no automated test will know 
better where there might be an injection possible than you do yourself. 
Run them, add the results but in the end only thoughrough manual tests 
will find real vulnerabilities.

Get a third party into it too, if possible. Someone who has no knowledge 
of the code behind the application but is very imaginative when coming 
up with attack scenarios.
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Dharmendra T
> Sent: Thursday, October 16, 2008 1:24 AM
> To: Matt - MRS Security
> Cc: pen-test () securityfocus com
> Subject: Re: Required Help on Automated Tools
>
> Dear matt,
>
> Can you give few points as to why we should not automate the assessments 
> or testing? Don't you think the automation helps you in so many ways, 
> one of the best I could think of is "it will be faster compared to manual"??
>
> Regards,
> Dharmendra T.
>
> Matt - MRS Security wrote:
>   
> > Vin Oxious wrote:
> >     
> > > Hello Everyone,
> > >
> > >                                Greetings !! ..Can you please list me
> > > some tools that would allow automated testing of the below ...  (
> > > while I have already got a few tools .. just wanted to know if there
> > > are some good ones ) ..
> > >
> > > SQL Injection -
> > >
> > > XSS -
> > >
> > > Improper Session Management -
> > >
> > > URL Access -
> > >
> > > Direct Object Reference -
> > >
> > >
> > > regards,
> > > Noxious
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> > > ------------------------------------------------------------------------
> > >
> > >   
> > >       
> > Please, please, please, please, please dont automate this kind of 
> > testing and then based upon the results give the customer a pass if 
> > nothing found.
> >
> > I never ever advise automated application assessments to anyone. I 
> > personally from the outset at the most automate the spidering of the 
> > site and then manually audit it.
> >
> > Improper session management can really only be assessed manually by 
> > looking at the cookie or any session data passed as part of the URL.
> >
> > There are a number of issues that automated tools will never discover.
> >
> > Sorry to beat home this fact but at the most automated tools should be 
> > run at the end of the test to verify your results.
> >
> > I know personally of a PCI ASV that i competed against during some 
> > work and they used automated scanning, they passed the merchant and i 
> > found SQL injection (XP_CMDSHELL level), XSS, CSRF, weak session 
> > management, data passed in the clear to name a few.
> >
> > More than likely this email is going to cause an argument, but please 
> > do not automate testing from the outset. Use it to verify your results.
> >
> > Thanks
> >
> > Matt.
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------
> >
> >     
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
>   


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------