WebApp Sec mailing list archives
Re: OS XSS and SQL scanner
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Mon, 31 Jul 2006 11:50:15 -0400
All automated scanners result in unreasonable levels of both false positives and false negatives. (I can see the vendor flames coming my way any moment. Feel free to find me at BlackHat to discuss.)
The best mechanism for finding both types of vulnerabilities is through static analysis of the code and/or manual code reviews. The static analysis route may still lead to both false positives and negatives. The next best method would be through black-box pen testing by a human. This may still leave some false negatives due to the inability to cover the entire code base.
Depending on your needs, skill-set and time frame you may choose one or all of these methods to ensure reasonable coverage.
-dhs Dean H. Saxe, CISSP, CEH dean () fullfrontalnerdity com"What difference does it make to the dead, the orphans, and the homeless, whether the mad destruction is wrought under the name of totalitarianism or the holy name of liberty and democracy? "
--Gandhi
On Jul 31, 2006, at 6:32 AM, Cherian Thomas wrote:
Hi all, Which is the best XSS and SQL scanner (preferably OS) available? Currently I use Cenzic hailstorm, but too frustrated with its false positives. Regards, Cherian---------------------------------------------------------------------- ---Sponsored by: WatchfireAppScan 6.5 is now available! New features for Web Services Testing, Advanced Automated Capabilities for Penetration Testers, PCI Compliance Reporting, Token Analysis, Authentication testing, Automated JavaScript execution and much more. Download a Free Trial of AppScan today!https://www.watchfire.com/securearea/appscancamp.aspx? id=70150000000CYkc ---------------------------------------------------------------------- ---
------------------------------------------------------------------------- Sponsored by: WatchfireDo you test web applications for XSS, SQL Injections, Buffer Overflows, Logical issues and other web application security threats? Why not automate this work with Watchfire's AppScan, the world's leading automated web application scanner. Download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701300000008BP9 --------------------------------------------------------------------------
Current thread:
- OS XSS and SQL scanner Cherian Thomas (Jul 31)
- Re: OS XSS and SQL scanner Dean H. Saxe (Jul 31)
- <Possible follow-ups>
- RE: OS XSS and SQL scanner Mandeep Khera (Jul 31)
- RE: OS XSS and SQL scanner Arian J. Evans (Aug 01)
- Re: OS XSS and SQL scanner Dean H. Saxe (Aug 02)
- Re: OS XSS and SQL scanner Rory McCune (Aug 02)
- Message not available
- Re: OS XSS and SQL scanner Dean H. Saxe (Aug 02)
- RE: OS XSS and SQL scanner Arian J. Evans (Aug 01)
- Re: OS XSS and SQL scanner Eoin (Aug 02)
- Re: OS XSS and SQL scanner Rogan Dawes (Aug 02)
- Re: OS XSS and SQL scanner Devdas Bhagat (Aug 02)
- RE: OS XSS and SQL scanner Burke, Charles (Aug 02)