WebApp Sec mailing list archives
RE: Web Application Source Vulnerability Scanners
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Tue, 4 Mar 2003 14:48:54 -0500
When you say most, I'm guessing you're excluding at least Spike Proxy, see below:
-----Original Message----- From: Ory Segal [mailto:ory.segal () sanctuminc com] Sent: Tuesday, March 04, 2003 10:25 AM To: webappsec () securityfocus com Subject: RE: Web Application Source Vulnerability Scanners Hi, The problem with most open source tools is that they are very strong in CGI Scanning, but when it comes to mutating real HTTP requests, and testing the web application layer, they lack good engine features. They do not have features such as: 1) Application level tests such as manipulation of : HTML form parameters (SQL Inj., Buffer Overflows, Poison null byte, Format strings bugs, Cookies, HTTP Headers etc...)
It's in there, though not as comprehensive as the commercial tools.
2) Automatic testing validation.
Not sure what this means?
3) Good reporting abilities
I don't think it has any reporting capabilities at all?
4) Session management/Transient management - Keeping the scanner 'in session'. This gives you the ability to scan web applications that force you to login, and may kick you out of session, if you caused some error - I believe that most large web apps have this. I believe that AppScan is the only scanner to perform this action.
Since it's mainly a proxy, your browser keeps it in session. For the static CGI checks it probably does not stay "in-session" with cookies, but I suspect that might not be too hard, at least for static session identifiers.
5) Good performance
Kinda hard to quantify. I would say Spike proxy has average performance for most tests - they are performed one-at-a-time rather than in parallel, like the current generation of many other tools.
6) Contstant updates.
There was a while there where you couldn't go two days without seeing another annoying announcement from Dave about the latest update to Spike proxy.
7) Logging of raw HTTP traffic
It's in there.
8) The ability to easily implement new tests.
VulnXML support for implementing your own checks in a standards-compliant fashion. Plus, fully open-source, so you can fix bugs if they annoy you enough. Not as polished or comprehensive as commercial scanners, but it's free and it *is* application-level, and it *does* have tests for buffer-overflows and SQL injection and the like. Phil
Current thread:
- Re: Web Application Source Vulnerability Scanners, (continued)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Feb 27)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Feb 28)
- RE: Web Application Source Vulnerability Scanners Dawes, Rogan (ZA - Johannesburg) (Feb 28)
- RE: Web Application Source Vulnerability Scanners Ory Segal (Mar 04)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 10)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- RE: Web Application Source Vulnerability Scanners securityarchitect (Mar 04)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Mar 04)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 04)
- Re: Web Application Source Vulnerability Scanners Jeff Williams @ Aspect (Mar 04)
- RE: Web Application Source Vulnerability Scanners Brass, Phil (ISS Atlanta) (Mar 04)
- Re: Web Application Source Vulnerability Scanners Toby Barrick (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rose, Tracey (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rosado, Rafael (Rafael) (Mar 04)
- RE: Web Application Source Vulnerability Scanners Vitor Ventura (Mar 20)
- RE: Web Application Source Vulnerability Scanners David Cameron (Mar 20)