WebApp Sec mailing list archives
Re: Of the three expensive vulnerability scanners
From: Tom Stracener <strace () gmail com>
Date: 17 Nov 2004 04:19:33 -0000
In-Reply-To: <003801c4c9c6$e5f39530$8d8606d1@rockstar> Jim, The problems you've mentioned with regard to the Cross Site Scripting tests point to a functionality area where the major players in the App security market need major improvement. As Jeremiah pointed out, the problem is broader than XSS policies alone, but it certainly affects them. One reason the XSS policies yield diminishing returns and are poorly organized in reports is due in part I believe to a lack of proper detection mechanisms. Both products use a plethora of fault injection techniques, yet neither seems sensitive to whether or not the injected script is returned within the context of the app's response in a form that is executable by a browser. As a result, when one form field is vulnerable to XSS, you can get into situations where virtually every XSS test returns with a positive detection. As you've no doubt noticed, each product checks for various kinds of XSS, some of these kinds are distinguished on the basis of the delimiter that is used. Despite the technical differences, each delimiter type has a sophisticated name (i.e Double Quote Single Quote Bracket kung fu, etc.) "><script .... '><script .... ">"><script ... <--<script ... <textarea><script ... etc. While the main vulnerability condition is whether or not an application will "echo back" the script sequences, real problem is that the different delimiters are important because some will execute when returned by the application, and others will not, depending upon the HTML/Script code of the application. This is why it is important to audit the application's logic, but there really is no reason to test for 12 different types of cross site scripting scenarios using different delimiters and script types if the detection mechanism can't account for which sequences actually yield results that are executable. The optimal solution in my opinion would be to emulate a browser and trap for alerts (or other events) and then to organize the report data based on which delimiters successfully generated the desired pop-ups (or whatever event is trapped for). The rest could be classified as warnings. This would help to minimize the multiple alerting problems that plague the XSS tests and produce frequently confusing results. While this wouldn't fix the reporting problems, it would help to attenuate the signal. -tom
Current thread:
- Of the three expensive vulnerability scanners managingrisk (Oct 07)
- RE: Of the three expensive vulnerability scanners Joe Basirico (Oct 07)
- RE: Of the three expensive vulnerability scanners Don Tuer (Oct 09)
- Re: Of the three expensive vulnerability scanners Mark W. Webb (Nov 29)
- RE: Of the three expensive vulnerability scanners Tommy (Nov 30)
- Re: Of the three expensive vulnerability scanners Cesar (Oct 09)
- <Possible follow-ups>
- Re: Of the three expensive vulnerability scanners Tom Stracener (Oct 12)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 14)
- Re: Of the three expensive vulnerability scanners Daniel (Nov 15)
- Re: Of the three expensive vulnerability scanners Jeremiah Grossman (Nov 15)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 14)
- Re: Of the three expensive vulnerability scanners Tom Stracener (Nov 16)
- Re: Of the three expensive vulnerability scanners ban.marketing.bs (Nov 20)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
- Re: Of the three expensive vulnerability scanners Jeff Williams (Nov 22)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
- RE: Of the three expensive vulnerability scanners Michael Silk (Nov 22)
- Re: Of the three expensive vulnerability scanners Jim+Lisa Weiler (Nov 25)
- Re: Of the three expensive vulnerability scanners ban.marketing.bs (Nov 22)
- RE: Of the three expensive vulnerability scanners King, Stuart (REHQ-LON) (Nov 22)
- RE: Of the three expensive vulnerability scanners Mark Curphey (Nov 25)
- RE: Of the three expensive vulnerability scanners Michael Silk (Nov 22)
- Re: Of the three expensive vulnerability scanners Adam Shostack (Nov 22)
(Thread continues...)
- RE: Of the three expensive vulnerability scanners Joe Basirico (Oct 07)