Dailydave mailing list archives
Web Scanning
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 25 Sep 2015 14:46:10 -0400
Yahoo released a horizontally scalable web scanner today <https://github.com/yahoo/gryffin>, written in GoLang. It's worth a look. I think there are strategic cyber security lessons to be learned from Yahoo releasing a free horizontally scalable web scanner and that's what this mailing list is about so let's delve. Let's look at history. Back in the day you would hire someone to do a web assessment, and they would get WebInspect or AppScan and scan your site, and then they'd poke around on it a little bit with an in-line proxy, and write you a report. Scanning a site with WebInspect took time - maybe each consultant on a team would be doing three scans at once. But the reports invariably would say things like "Hey, we noticed you did all your authentication on the client side. That's cool, but maybe let's try it on the server next time?" This is where mobile apps are now. They fail to realize that people can mess with variables and so they are making all the mistakes people made on web apps in 2002. Tooling for security for them is terrible too, which is something we have a video coming out on soon. (Foreshadowing! I does it!) WebInspect and AppScan got absorbed by giant development chain companies (IBM and HP) and are now "inline" with your whole development process and this is of course because white box testing is a hell of a lot easier than black box testing. But application penetration testing split invisibly and we forgot to tell anyone. One aspect of it is the deep look by a real hacker - typically a white-box approach. And in those cases, you get cryptographic bugs, insane timing bugs, logic bugs, XSRF bugs, and external entity bugs. SQL Injection and XSS are a side-note. And of course on the other hand there is Lulzsec-style: We scanned your box and five thousand other boxes with Hajiv and found an SQLi and a file traversal and actually hacked you. Hajiv and sqlmap (and WebInspect and AppScan) don't scale but to solve that problem are the giant scanning farms and until yesterday they were all close-hold: 1. WhiteHat 2. Veracode 3. Qualys 4. Tenable 5. WebSiege (Immunity) 6. Gryffon (Yahoo) 7. PunkSpider 8. Google's XSS Scanner (only available for scanning your AppEngine apps) Are there others? And by others I mean ones that can handle "I have 100000 web applications to scan." The concept I think we keyed in on a long time ago is that the surface had changed. Much as anybody can run a full on Internet-scan for a port, they can also map your whole web application and the important thing is, they already have. At some level the "Lulzsec" problem was because companies didn't want to face the reality that their defensive surface had expanded like a 24/7 cable news channel all about little Bobby Tables. And the answer, of course, is partially continuous monitoring, and partially out-sourced vulnerability validation (bug bounties). -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Web Scanning Dave Aitel (Sep 25)