WebApp Sec mailing list archives
Re: Web Application Source Vulnerability Scanners
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Fri, 07 Mar 2003 13:53:33 +0100
Ory Segal wrote:
Hi,The problem with most open source tools is that they are very strong in CGI Scanning, but when it comes to mutating real HTTP requests, and testing the web application layer, they lack good engine features. They do not have features such as:
Ok. Not completely true. Let's take a look at httpush: http://sourceforge.net/projects/httpush(the answers would be similar if you took Spike proxy or other inline proxies)
1) Application level tests such as manipulation of : HTML form parameters (SQL Inj., Buffer Overflows, Poison null byte, Format strings bugs, Cookies, HTTP Headers etc...)
It has a Plugin API in which you can code this tests. Some are already available.
2) Automatic testing validation.
It does not have those. But I don't understand the point of doing it either.
3) Good reporting abilities
Good ol' text files.
4) Session management/Transient management - Keeping the scanner 'in session'. This gives you the ability to scan web applications that force you to login, and may kick you out of session, if you caused some error - I believe that most large web apps have this. I believe that AppScan is the only scanner to perform this action.
It does this fairly well since it's managed by the browser, httpush is a semi-transparent proxy.
5) Good performance
Fairly good performance as a proxy.
6) Contstant updates.
Not in httpush case but not really necessary.
7) Logging of raw HTTP traffic
Httpush can do that.
8) The ability to easily implement new tests.
Same here.Now, I don't develop httpush myself. But I find it a _very_ useful web application scanner. I think the same of Spike proxy and RFP Procy BTW. However, it's not a "web application _Source_ vulnerability scanner". But, then again, your answer does not answer the original post either (since you are not talking of _source_ scanners either)
Regards Javi
Current thread:
- Web Application Source Vulnerability Scanners Rosado, Rafael (Rafael) (Feb 27)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Feb 27)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Feb 28)
- <Possible follow-ups>
- RE: Web Application Source Vulnerability Scanners Dawes, Rogan (ZA - Johannesburg) (Feb 28)
- RE: Web Application Source Vulnerability Scanners Ory Segal (Mar 04)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 10)
- Re: Web Application Source Vulnerability Scanners Javier Fernandez-Sanguino (Mar 07)
- RE: Web Application Source Vulnerability Scanners securityarchitect (Mar 04)
- Re: Web Application Source Vulnerability Scanners Dave Aitel (Mar 04)
- Re: Web Application Source Vulnerability Scanners Kevin Spett (Mar 04)
- Re: Web Application Source Vulnerability Scanners Jeff Williams @ Aspect (Mar 04)
- RE: Web Application Source Vulnerability Scanners Brass, Phil (ISS Atlanta) (Mar 04)
- Re: Web Application Source Vulnerability Scanners Toby Barrick (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rose, Tracey (Mar 04)
- RE: Web Application Source Vulnerability Scanners Rosado, Rafael (Rafael) (Mar 04)
- RE: Web Application Source Vulnerability Scanners Vitor Ventura (Mar 20)
(Thread continues...)