WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Environment for testing WebApp Security Scanners

From: <c0redump () ackers org uk>
Date: Wed, 9 Aug 2006 11:44:33 +0100
Nice idea, but no tool can substitute for a little common sense and manual know how. The way cookies like this would be implemented would vary greatly, therefore any security scanner would still rely on signatures - back to the problem at hand again. If it doesn't have the signature/rule it isn't going to pick it up.
Therefore, any web application tool out there, when used, should *always* be followed up by a manual test. 

Just my two pence.

Tom Neaves


Surely it'd be trivial to have a cookie specification field of the
scanning tool. The person doing the scanning could review the cookie
and spec it up a bit. Then the tool could be a bit context aware, at
least of cookies, and watch when fields it may be interested in
changes.



I.e. you could draw links between cookie items and pages, or cookie
items and request fields, etc, etc, etc.



The tool could start to learn common cookie forms and use that to help
suggest what various fields might be.






-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: