Penetration Testing mailing list archives

Re: Required Help on Automated Tools

From: Matt - MRS Security <matt () mrssecurity com>
Date: Wed, 15 Oct 2008 19:41:51 +0100

Vin Oxious wrote:

Hello Everyone,

                               Greetings !! ..Can you please list me
some tools that would allow automated testing of the below ...  (
while I have already got a few tools .. just wanted to know if there
are some good ones ) ..

SQL Injection -

XSS -

Improper Session Management -

URL Access -

Direct Object Reference -


regards,
Noxious

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Please, please, please, please, please dont automate this kind oftesting and then based upon the results give the customer a pass ifnothing found.

I never ever advise automated application assessments to anyone. Ipersonally from the outset at the most automate the spidering of thesite and then manually audit it.

Improper session management can really only be assessed manually bylooking at the cookie or any session data passed as part of the URL.


There are a number of issues that automated tools will never discover.

Sorry to beat home this fact but at the most automated tools should berun at the end of the test to verify your results.

I know personally of a PCI ASV that i competed against during some workand they used automated scanning, they passed the merchant and i foundSQL injection (XP_CMDSHELL level), XSS, CSRF, weak session management,data passed in the clear to name a few.

More than likely this email is going to cause an argument, but please donot automate testing from the outset. Use it to verify your results.


Thanks

Matt.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Required Help on Automated Tools Vin Oxious (Oct 14)
- Re: Required Help on Automated Tools Christian Martorella (Oct 15)
- Re: Required Help on Automated Tools Matt - MRS Security (Oct 15)
  - Re: Required Help on Automated Tools Dharmendra T (Oct 16)
    - RE: Required Help on Automated Tools Prodigi Child (Oct 16)
    - Re: Required Help on Automated Tools Marian Rudzynski (Oct 16)
    - Re: Required Help on Automated Tools Omar Herrera (Oct 16)
    - Re: Required Help on Automated Tools Taufiq Ali (Oct 17)
- Re: Required Help on Automated Tools nnp (Oct 15)
  - Re: Required Help on Automated Tools Taufiq Ali (Oct 16)
- <Possible follow-ups>
- RE: Required Help on Automated Tools Leverett, Eireann (GE Infra, Energy) (Oct 15)
  - RE: Required Help on Automated Tools Bhalla, Nishchal (Oct 15)