WebApp Sec mailing list archives
RE: Web Application Source Vulnerability Scanners
From: securityarchitect () hush com
Date: Tue, 4 Mar 2003 08:48:50 -0800
I know this list doesn't cater for commercial tool discussions specifically so choosing words carefully moderator ;-) To counter that you should look at the latest review of commercial tools. All failed pretty miserably and the general recomendation was to wait until the next generation of tools come out. http://www.infosecuritymag.com/2003/jan/cover.shtml On Tue, 04 Mar 2003 07:25:02 -0800 Ory Segal <ory.segal () sanctuminc com> wrote:
Hi, The problem with most open source tools is that they are very strong in CGI Scanning, but when it comes to mutating real HTTP requests, and testing the web application layer, they lack good engine features. They do not have features such as: 1) Application level tests such as manipulation of : HTML form parameters (SQL Inj., Buffer Overflows, Poison null byte, Format strings bugs, Cookies, HTTP Headers etc...) 2) Automatic testing validation. 3) Good reporting abilities 4) Session management/Transient management - Keeping the scanner 'in session'. This gives you the ability to scan web applications that force you to login, and may kick you out of session, if you caused some error - I believe that most large web apps have this. I believe that AppScan is the only scanner to perform this action. 5) Good performance 6) Contstant updates. 7) Logging of raw HTTP traffic 8) The ability to easily implement new tests. -Ory Segal.
Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- Web Application Source Vulnerability Scanners Rosado, Rafael (Rafael) (Feb 27)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Feb 27)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Feb 28)
- <Possible follow-ups>
- RE: Web Application Source Vulnerability Scanners Dawes, Rogan (ZA - Johannesburg) (Feb 28)
- RE: Web Application Source Vulnerability Scanners Ory Segal (Mar 04)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 10)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- RE: Web Application Source Vulnerability Scanners securityarchitect (Mar 04)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Mar 04)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 04)
- Re: Web Application Source Vulnerability Scanners Jeff Williams @ Aspect (Mar 04)
- RE: Web Application Source Vulnerability Scanners Brass, Phil (ISS Atlanta) (Mar 04)
- Re: Web Application Source Vulnerability Scanners Toby Barrick (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rose, Tracey (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rosado, Rafael (Rafael) (Mar 04)
- RE: Web Application Source Vulnerability Scanners Vitor Ventura (Mar 20)
- RE: Web Application Source Vulnerability Scanners David Cameron (Mar 20)