WebApp Sec mailing list archives
Re: Comparison report on web app security scanners
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Wed, 17 May 2006 19:38:24 -0400
I'm with Mark on this.In the past I worked on a banking app that by design tracked user state through the application. If you didn't follow the workflow, you didn't get access to a particular URL. Are you saying that your scanner, and all others, will fail against this type of application?
I have to believe its more common than you think based on the web app pen testing I have done.
-dhs Dean H. Saxe, CEH dean () fullfrontalnerdity com"Great spirits have often encountered violent opposition from weak minds."
--Einstein Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd On May 16, 2006, at 1:47 PM, Mark Curphey wrote:
Bullshit.... -----Original Message----- From: Bogdan Calin [mailto:bogdan () acunetix com] Sent: Tuesday, May 16, 2006 10:10 AM To: webappsec () securityfocus com Cc: Holger.Peine () iese fraunhofer de Subject: Re: Comparison report on web app security scanners Hello, A few days ago Dr. Holger Peine published a "Comparison report on web app security scanners".For this report he used two web applications: one of them is WebGoat andthe other one is a proprietary application which is not public. I don't know anything about this proprietary application but I would like to say that WebGoat is not a good test case for evaluating web scanners.WebGoat is using server side state variables to track user actions. Forexample, if you want to test the String SQL injection flaw you first need to navigate to the "String SQL injection" section in order to set the proper state of the application. If the application is not in the proper state, the SQL injection test will not work. The application will just ignore your inputs.An automated scanner cannot guess this application behavior, and unless you optimize your scanner for this particular application it will not beable to scan it properly. When the scanner has finished discovering the site structure, WebGoatwill be in some unknown state. All tests will be performed while WebGoatis in this state. This is not a common implementation. Because we are offering free audits, we have audited more than 1,000 websites and didn't encountered this kind of implementation.WebGoat is great for learning about web security flaws but I don't thinkit should be used as a test case for web security scanners. Bogdan Calin Acunetix Ltd. - www.acunetix.com Acunetix Web Vulnerability Scanner---------------------------------------------------------------------- ---Sponsored by: WatchfireWatchfire named worldwide market share leader in web application securityassessment by leading market research firm. Watchfire's AppScan is theindustry's first and leading web application security testing suite, andthe only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!https://www.watchfire.com/securearea/appscansix.aspx? id=701300000007t9c ---------------------------------------------------------------------- -------------------------------------------------------------------------- ---Sponsored by: WatchfireWatchfire named worldwide market share leader in web application securityassessment by leading market research firm. Watchfire's AppScan is theindustry's first and leading web application security testing suite, andthe only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!https://www.watchfire.com/securearea/appscansix.aspx? id=701300000007t9c ---------------------------------------------------------------------- ----
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Comparison report on web app security scanners Holger.Peine (May 05)
- <Possible follow-ups>
- Re: Comparison report on web app security scanners Bogdan Calin (May 16)
- RE: Comparison report on web app security scanners Mark Curphey (May 16)
- Re: Comparison report on web app security scanners Dean H. Saxe (May 18)
- Re: Comparison report on web app security scanners Bogdan Calin (May 18)
- RE: Comparison report on web app security scanners Mark Curphey (May 16)
- RE: Comparison report on web app security scanners Holger.Peine (May 16)
- RE: Comparison report on web app security scanners Ory Segal (May 16)
- Re: Comparison report on web app security scanners Jeremiah Grossman (May 17)
- RE: Comparison report on web app security scanners Mark Curphey (May 18)
- Re: Comparison report on web app security scanners Zaninotti, Thiago (May 18)
- Re: Comparison report on web app security scanners Jeremiah Grossman (May 17)
- Re: Comparison report on web app security scanners Eoin (May 17)
- RE: Comparison report on web app security scanners Mark Curphey (May 17)
- RE: Comparison report on web app security scanners Bogdan Calin (May 18)
- Re: Comparison report on web app security scanners solutions_PHP (May 18)