WebApp Sec mailing list archives
RE: Web Application Source Vulnerability Scanners
From: "Rosado, Rafael (Rafael)" <rarosado () lucent com>
Date: Tue, 4 Mar 2003 15:44:09 -0700
Toby, Would you care to share with the list the set of tools ("toolkit") you use? I am interested in understanding what your "toolkit" of open source and commercial toolset is comprised of. Rafael Rosado, CISSP, CISA IT Security Manager Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O Corporate Security Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 3S039 Miramar, Florida 33027 +1 954-885-2176 (voice) * +1 954-885-3861 (fax) * +1 954-648-3532 (mobile) or 9546483532 () mobile att net (text message) * rarosado () lucent com (email) * This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. -----Original Message----- From: Toby Barrick [mailto:tbarrick () cox net] Sent: Tuesday, March 04, 2003 4:08 PM To: webappsec () securityfocus com Subject: Re: Web Application Source Vulnerability Scanners -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IMHO, there is no "silver bullet." My "toolkit" utilizes many applications, open source and commercial when validating an application/website. I have looked at many programs that proclaim to be the "best of breed," but every single one of them have short comings, and every single one of them report false positives and negatives. As in the mechanic world, having a 9/16 (14[.28] mm) wrench will assure compatibility with about 20% of the bolts installed on autos, it takes a tool box full of wrenches to completely disassemble an auto. The bottom line is that it takes a keen eye, experience, and a "gut feeling" to properly validate the results returned by ANY scanner. -- Toby Barrick Advisory Software Engineer AXP Out-Tasking Relationship IBM Global Services E-commerce Security Phone 602-766-2410 Cell 602-790-5438 Fax 480-940-9199 e-Mail: IBM - tnbarric () us ibm com AMEX - Internet-Security () aexp com Personal - tbarrick () cox net -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQA/AwUBPkBTtaCZ55oPBRfIEQIQtACdEeFMxo31Xx+37MgCe3vA2QzZ6H4An3JR EE4P8UUcvkhKZr8DCvr26yoS =8VV5 -----END PGP SIGNATURE----- Brass, Phil (ISS Atlanta) wrote:
When you say most, I'm guessing you're excluding at least Spike Proxy, see below:-----Original Message----- From: Ory Segal [mailto:ory.segal () sanctuminc com] Sent: Tuesday, March 04, 2003 10:25 AM To: webappsec () securityfocus com Subject: RE: Web Application Source Vulnerability Scanners Hi, The problem with most open source tools is that they are very strong in CGI Scanning, but when it comes to mutating real HTTP requests, and testing the web application layer, they lack good engine features. They do not have features such as: 1) Application level tests such as manipulation of : HTML form parameters (SQL Inj., Buffer Overflows, Poison null byte, Format strings bugs, Cookies, HTTP Headers etc...)It's in there, though not as comprehensive as the commercial tools.2) Automatic testing validation.Not sure what this means?3) Good reporting abilitiesI don't think it has any reporting capabilities at all?4) Session management/Transient management - Keeping the scanner 'in session'. This gives you the ability to scan web applications that force you to login, and may kick you out of session, if you caused some error - I believe that most large web apps have this. I believe that AppScan is the only scanner to perform this action.Since it's mainly a proxy, your browser keeps it in session. For the static CGI checks it probably does not stay "in-session" with cookies, but I suspect that might not be too hard, at least for static session identifiers.5) Good performanceKinda hard to quantify. I would say Spike proxy has average performance for most tests - they are performed one-at-a-time rather than in parallel, like the current generation of many other tools.6) Contstant updates.There was a while there where you couldn't go two days without seeing another annoying announcement from Dave about the latest update to Spike proxy.7) Logging of raw HTTP trafficIt's in there.8) The ability to easily implement new tests.VulnXML support for implementing your own checks in a standards-compliant fashion. Plus, fully open-source, so you can fix bugs if they annoy you enough. Not as polished or comprehensive as commercial scanners, but it's free and it *is* application-level, and it *does* have tests for buffer-overflows and SQL injection and the like. Phil
Current thread:
- RE: Web Application Source Vulnerability Scanners, (continued)
- RE: Web Application Source Vulnerability Scanners Ory Segal (Mar 04)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 10)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- RE: Web Application Source Vulnerability Scanners securityarchitect (Mar 04)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Mar 04)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 04)
- Re: Web Application Source Vulnerability Scanners Jeff Williams @ Aspect (Mar 04)
- RE: Web Application Source Vulnerability Scanners Brass, Phil (ISS Atlanta) (Mar 04)
- Re: Web Application Source Vulnerability Scanners Toby Barrick (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rose, Tracey (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rosado, Rafael (Rafael) (Mar 04)
- RE: Web Application Source Vulnerability Scanners Vitor Ventura (Mar 20)
- RE: Web Application Source Vulnerability Scanners David Cameron (Mar 20)
- RE: Web Application Source Vulnerability Scanners Ory Segal (Mar 04)