WebApp Sec mailing list archives
Re: Spi's products worth a try? CENZIC BUSTED
From: Super App Master One <superappmasterzero () gmail com>
Date: Mon, 7 Nov 2005 20:50:48 -0500
Normally these types of threads spiral downward quickly, but this one contained something not to be missed. - The thread started out as a simple question about impressions towards SPI's scanning tool. (These are good discussion topics when conducted properly.) - Shortly thereafter Phil Pavay from Cenzic, and scanner competitor posts the following. "I am a participant in this email list and very much appreciate the technical content and learned opinions and research discussed within these topics. I am also under the impression (and would like the moderator to clarify) that this is not a marketing and sales tool for the vendors. " An innocent post to be sure. - A few posts later, the mysterious and never before seen App Master (appmasterzero () hotmail com) pulls out what can be described as a lengthy pro-Cenzic marketing email. We saw it for what it was. (Moderators have a hard job determining if a posts like this should be allowed with the risk of limiting what could be the opinions of real people. Andrew, keep up the good work.) - Here's where it gets interesting. What App Master may not know is that web mail providers (like Hotmail) typically send a "X- Originating-Ip" email headers letting the world know who you are or where you came from. Header from App Master's post in question: X-Originating-Ip: [64.60.123.42] Trusty nslookup reveals: $ nslookup 64.60.123.42 Non-authoritative answer: 42.123.60.64.in-addr.arpa canonical name = 42.40/29.123.60.64.in-addr.arpa. 42.40/29.123.60.64.in-addr.arpa name = gate.cenzic.com. Thats right, none other than Cenzic. Perhaps Phil got a little jealous when the topic was really "impressions towards SPI's scanning tool". There you have it boys, girls, and especially over anxious marketing people. When you try to be clever, make sure you know what your doing or you risk some humiliation. This type of behavior is exactly why the list charter is how it is. Super Appman Zero. On Nov 7, 2005, at 1:04 PM, App Master wrote:
Aman, Cenzic's Hailstorm has also recieved great reviews. In my experience its the most accurate tool available for auditing a web application for security vulnerabilities. Gives you lots of control. It would be very useful for your developers to use to scan their applications. Hailstorm itself doesn't do source code scanning, but it excells in statefully testing a web application for vulnerability, and in this regard, you fill find its results reliable and second to none. Please allow me to explain: When you manually test an application, its time consuming, but it has the advantage of greater accuracy than you ordinarily get out of an ordinary off-the-shelf "App Scanner." You see, a lot of security products are just like machine guns that fire strings at an application and then grep the HTML for another response string. This is the reason that after you run them it takes so long to verify if the results are correct or not, because its mostly pure signature matching -- stateless -- of raw HTML and server response codes, without any visibility as to what is occuring in the browser (at the application level), or if the application is causally or statefully affected by injected values. Hailstorm does it differently, using what you might think of as active payloads. It monitors what each injected payload does and then monitors browser memory (it uses a baked-in version of Mozilla) to trap when code or events execute in the application space as a result of its actions. This is a world of difference between other black-box tools. Hailstorm also uses fairly advanced AI when it comes to analyzing server behavior: heuristics, causal and behavior triggers, a significant number of configuration options for advanced tuning. I like it because it gives me better, more accurate, more actionable, results. Period. I am certain it would benefit your team. Check it out at: www.cenzic.com Thanks Appman Zero
Current thread:
- Re: Spi's products worth a try? CENZIC BUSTED Super App Master One (Nov 08)