Re: Web Application Source Vulnerability Scanners

[Toby Barrick <tbarrick () cox net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IMHO, there is no "silver bullet."  My "toolkit" utilizes many 
applications, open source and commercial when validating an 
application/website. I have looked at many programs that proclaim to be 
the "best of breed," but every single one of them have short comings, 
and every single one of them report false positives and negatives.

As in the mechanic world, having a 9/16 (14[.28] mm) wrench will assure 
compatibility with about 20% of the bolts installed on autos, it takes a 
tool box full of wrenches to completely disassemble an auto.

The bottom line is that it takes a keen eye, experience, and a "gut 
feeling" to properly validate the results returned by ANY scanner.

--


Toby Barrick
Advisory Software Engineer
AXP Out-Tasking Relationship
IBM Global Services
E-commerce Security
Phone 602-766-2410
Cell 602-790-5438
Fax 480-940-9199
e-Mail:
IBM - tnbarric () us ibm com
AMEX - Internet-Security () aexp com
Personal - tbarrick () cox net

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1

iQA/AwUBPkBTtaCZ55oPBRfIEQIQtACdEeFMxo31Xx+37MgCe3vA2QzZ6H4An3JR
EE4P8UUcvkhKZr8DCvr26yoS
=8VV5
-----END PGP SIGNATURE-----

Brass, Phil (ISS Atlanta) wrote:
> When you say most, I'm guessing you're excluding at least Spike Proxy,
> see below:
>
>
> > -----Original Message-----
> > From: Ory Segal [mailto:ory.segal () sanctuminc com] 
> > Sent: Tuesday, March 04, 2003 10:25 AM
> > To: webappsec () securityfocus com
> > Subject: RE: Web Application Source Vulnerability Scanners
> >
> >
> > Hi,
> >
> > The problem with most open source tools is that they are very 
> > strong in 
> > CGI Scanning, but when it comes to mutating real HTTP requests, and 
> > testing the web application layer, they lack good engine 
> > features. They 
> > do not have features such as:
> > 1) Application level tests such as manipulation of : HTML form 
> > parameters (SQL Inj., Buffer Overflows, Poison null byte, 
> > Format strings 
> > bugs, Cookies, HTTP Headers etc...)
>
>
> It's in there, though not as comprehensive as the commercial tools.
>
>
> > 2) Automatic testing validation.
>
>
> Not sure what this means?
>
>
> > 3) Good reporting abilities
>
>
> I don't think it has any reporting capabilities at all?
>
>
> > 4) Session management/Transient management - Keeping the scanner 'in 
> > session'. This gives you the ability to scan web applications 
> > that force 
> > you to login, and may kick you out of session, if you caused 
> > some error 
> > - I believe that most large web apps have this. I believe 
> > that AppScan 
> > is the only scanner to perform this action.
>
>
> Since it's mainly a proxy, your browser keeps it in session.  For the
> static CGI checks it probably does not stay "in-session" with cookies,
> but I suspect that might not be too hard, at least for static session
> identifiers.
>
>
> > 5) Good performance
>
>
> Kinda hard to quantify.  I would say Spike proxy has average performance
> for most tests - they are performed one-at-a-time rather than in
> parallel, like the current generation of many other tools.
>
>
> > 6) Contstant updates.
>
>
> There was a while there where you couldn't go two days without seeing
> another annoying announcement from Dave about the latest update to Spike
> proxy.
>
>
> > 7) Logging of raw HTTP traffic
>
>
> It's in there.
>
>
> > 8) The ability to easily implement new tests.
>
>
> VulnXML support for implementing your own checks in a
> standards-compliant fashion.
>
> Plus, fully open-source, so you can fix bugs if they annoy you enough.
>
> Not as polished or comprehensive as commercial scanners, but it's free
> and it *is* application-level, and it *does* have tests for
> buffer-overflows and SQL injection and the like.
>
> Phil