RE: Web Application Source Vulnerability Scanners

["Rosado, Rafael (Rafael)" <rarosado () lucent com>]

Toby,

Would you care to share with the list the set of tools ("toolkit") you use?
I am interested in understanding what your "toolkit" of open source and
commercial toolset is comprised of.

Rafael Rosado, CISSP, CISA
IT Security Manager
Caribbean and Latin America Region (CALA) &
Global Risk Assessment and Penetration Testing
Lucent Technologies O  
Corporate Security
Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 
2400 SW 145th Avenue - Room 3S039
Miramar, Florida 33027 
+1 954-885-2176 (voice) *
+1 954-885-3861 (fax) * 
+1 954-648-3532 (mobile) or 9546483532 () mobile att net (text message) *
rarosado () lucent com (email) *

This electronic mail message contains information belonging to Lucent
Technologies, which may be confidential and/or legal privileged. The
information is intended only for the use of the individual or entity named
above. If you are not the intended recipient, you are hereby notified that
any disclosure, printing, copying, distribution, or the taking of any action
in reliance on the contents of this electronically mailed information is
strictly prohibited. If you receive this message in error, please
immediately notify us by electronic mail and delete this message.



-----Original Message-----
From: Toby Barrick [mailto:tbarrick () cox net]
Sent: Tuesday, March 04, 2003 4:08 PM
To: webappsec () securityfocus com
Subject: Re: Web Application Source Vulnerability Scanners


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IMHO, there is no "silver bullet."  My "toolkit" utilizes many 
applications, open source and commercial when validating an 
application/website. I have looked at many programs that proclaim to be 
the "best of breed," but every single one of them have short comings, 
and every single one of them report false positives and negatives.

As in the mechanic world, having a 9/16 (14[.28] mm) wrench will assure 
compatibility with about 20% of the bolts installed on autos, it takes a 
tool box full of wrenches to completely disassemble an auto.

The bottom line is that it takes a keen eye, experience, and a "gut 
feeling" to properly validate the results returned by ANY scanner.

-- 


Toby Barrick
Advisory Software Engineer
AXP Out-Tasking Relationship
IBM Global Services
E-commerce Security
Phone 602-766-2410
Cell 602-790-5438
Fax 480-940-9199
e-Mail:
IBM - tnbarric () us ibm com
AMEX - Internet-Security () aexp com
Personal - tbarrick () cox net

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1

iQA/AwUBPkBTtaCZ55oPBRfIEQIQtACdEeFMxo31Xx+37MgCe3vA2QzZ6H4An3JR
EE4P8UUcvkhKZr8DCvr26yoS
=8VV5
-----END PGP SIGNATURE-----

Brass, Phil (ISS Atlanta) wrote:
> When you say most, I'm guessing you're excluding at least Spike Proxy,
> see below:
>
>
> > -----Original Message-----
> > From: Ory Segal [mailto:ory.segal () sanctuminc com] 
> > Sent: Tuesday, March 04, 2003 10:25 AM
> > To: webappsec () securityfocus com
> > Subject: RE: Web Application Source Vulnerability Scanners
> >
> >
> > Hi,
> >
> > The problem with most open source tools is that they are very 
> > strong in 
> > CGI Scanning, but when it comes to mutating real HTTP requests, and 
> > testing the web application layer, they lack good engine 
> > features. They 
> > do not have features such as:
> > 1) Application level tests such as manipulation of : HTML form 
> > parameters (SQL Inj., Buffer Overflows, Poison null byte, 
> > Format strings 
> > bugs, Cookies, HTTP Headers etc...)
>
>
> It's in there, though not as comprehensive as the commercial tools.
>
>
> > 2) Automatic testing validation.
>
>
> Not sure what this means?
>
>
> > 3) Good reporting abilities
>
>
> I don't think it has any reporting capabilities at all?
>
>
> > 4) Session management/Transient management - Keeping the scanner 'in 
> > session'. This gives you the ability to scan web applications 
> > that force 
> > you to login, and may kick you out of session, if you caused 
> > some error 
> > - I believe that most large web apps have this. I believe 
> > that AppScan 
> > is the only scanner to perform this action.
>
>
> Since it's mainly a proxy, your browser keeps it in session.  For the
> static CGI checks it probably does not stay "in-session" with cookies,
> but I suspect that might not be too hard, at least for static session
> identifiers.
>
>
> > 5) Good performance
>
>
> Kinda hard to quantify.  I would say Spike proxy has average performance
> for most tests - they are performed one-at-a-time rather than in
> parallel, like the current generation of many other tools.
>
>
> > 6) Contstant updates.
>
>
> There was a while there where you couldn't go two days without seeing
> another annoying announcement from Dave about the latest update to Spike
> proxy.
>
>
> > 7) Logging of raw HTTP traffic
>
>
> It's in there.
>
>
> > 8) The ability to easily implement new tests.
>
>
> VulnXML support for implementing your own checks in a
> standards-compliant fashion.
>
> Plus, fully open-source, so you can fix bugs if they annoy you enough.
>
> Not as polished or comprehensive as commercial scanners, but it's free
> and it *is* application-level, and it *does* have tests for
> buffer-overflows and SQL injection and the like.
>
> Phil