Penetration Testing mailing list archives
Re: [WEB SECURITY] RE: Web Application Scanners Comparison
From: bugtraq () cgisecurity net
Date: Wed, 28 Jan 2009 13:24:52 -0500 (EST)
There's some additional discussion on methodology at http://www.cgisecurity.com/2009/01/web-application-scanners-comparison.html - Robert http://www.cgisecurity.com/ Web site and application security news. http://www.webappsec.org/ The Web Application Security Consortium
------=_NextPart_000_0018_01C98139.BB736270
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
All,
One of the things I've preached (whether anyone listens or not) is =
that the efficiency of the crawler is a terrible way to test the =
effectiveness of a web application security scanner. There are many =
tools tests that have been conducted that seem to base the entire =
foundation of the test based on the methodology of 1) input URL, 2) =
click "GO", 3) review results... that's an absolutely abismal test base.
I understand that a crawler is an integral part of the web app =
security scanner - but I strongly feel that the crawler and the scanner =
engine are two very, very different things. A proper vuln scanner =
engine test would manually provide input for which sections of an =
application are to be tested, and then, and only then, push the GO =
button.
I know some of you disagree - but maybe we can get some intelligent =
discourse around this?
__
Rafal M. Los
Security & IT Risk Strategist
- Blog: http://preachsecurity.blogspot.com
- LinkedIn: http://www.linkedin.com/in/rmlos
From: Albert=20
Sent: Wednesday, January 28, 2009 12:57 AM
To: r () fuckthespam com=20
Cc: pen-test () securityfocus com ; webappsec () securityfocus com ; =
websecurity () webappsec org=20
Subject: [WEB SECURITY] RE: Web Application Scanners Comparison
I agree completely - the author seems to have no credentials which =
justify being in any position to perform testing of any sort,=20
the whole "black magic" atmosphere and arrogant attitude is more than =
suspicious.
------=_NextPart_000_0018_01C98139.BB736270
Content-Type: text/html;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3Dtext/html;charset=3Dutf-8>
<META content=3D"MSHTML 6.00.6001.18183" name=3DGENERATOR></HEAD>
<BODY id=3DMailContainerBody=20
style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"=20
bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true"=20
name=3D"Compose message area">
<DIV><FONT face=3DArial size=3D2>All,</FONT></DIV>
<DIV> <FONT face=3DArial size=3D2>One of the =
things I've=20
preached (whether anyone listens or not) is that the efficiency of the =
crawler=20
is a terrible way to test the effectiveness of a web application =
security=20
scanner. There are many tools tests that have been conducted that =
seem to=20
base the entire foundation of the test based on the methodology of 1) =
input URL,=20
2) click "GO", 3) review results... that's an absolutely abismal test=20
base.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> <FONT face=3DArial size=3D2>I understand =
that a crawler=20
is an integral part of the web app security scanner - but I strongly =
feel that=20
the crawler and the scanner engine are two very, very different =
things. A=20
proper vuln scanner engine test would manually provide input for which =
sections=20
of an application are to be tested, and then, and only then, push the GO =
button.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV> <FONT face=3DArial size=3D2>I know some of =
you disagree=20
- but maybe we can get some intelligent discourse around=20
this?</FONT></DIV><STRONG><FONT face=3DTahoma size=3D2>
<DIV><BR>__<BR>Rafal M. Los<BR>Security & IT Risk Strategist</DIV>
<DIV> </DIV>
<DIV> - Blog: <A=20
title=3D"http://preachsecurity.blogspot.com CTRL + Click to follow =
link"=20
href=3D"http://preachsecurity.blogspot.com";>http://preachsecurity.blogspo=
t.com</A><BR> -=20
LinkedIn: <A=20
href=3D"http://www.linkedin.com/in/rmlos";>http://www.linkedin.com/in/rmlo=
s</A></FONT></STRONG></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt Tahoma">
<DIV style=3D"font-color: black"><B>From:</B> <A =
title=3Dcaruabertu () gmail com=20
href=3D"mailto:caruabertu () gmail com">Albert</A> </DIV>
<DIV><B>Sent:</B> Wednesday, January 28, 2009 12:57 AM</DIV>
<DIV><B>To:</B> <A title=3Dr () fuckthespam com=20
href=3D"mailto:r () fuckthespam com">r () fuckthespam com</A> </DIV>
<DIV><B>Cc:</B> <A title=3Dpen-test () securityfocus com=20
=
href=3D"mailto:pen-test () securityfocus com">pen-test () securityfocus com</A>=
; <A=20
title=3Dwebappsec () securityfocus com=20
=
href=3D"mailto:webappsec () securityfocus com">webappsec () securityfocus com</=
A> ; <A=20
title=3Dwebsecurity () webappsec org=20
=
href=3D"mailto:websecurity () webappsec org">websecurity () webappsec org</A> =
</DIV>
<DIV><B>Subject:</B> [WEB SECURITY] RE: Web Application Scanners=20
Comparison</DIV></DIV>
<DIV><BR></DIV>I agree completely - the author seems to have no =
credentials=20
which justify being in any position to perform testing of any sort, =
<BR>the=20
whole "black magic" atmosphere and arrogant attitude is more than=20
suspicious.<BR><BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0018_01C98139.BB736270--
Current thread:
- Re: [WEB SECURITY] RE: Web Application Scanners Comparison bugtraq (Jan 28)