WebApp Sec mailing list archives
Re: OS XSS and SQL scanner
From: Rogan Dawes <discard () dawes za net>
Date: Wed, 02 Aug 2006 18:33:21 +0200
Eoin wrote:
Hi, RE: "This situation is no doubt due to the utter lack of skill and understanding of the subject on the part of the authors." I thought these tools were to assist one, so not as much skill is required? Otherwise one would do it in a manual fashion? What does one think? -ek
I'd say that the tools are absolutely there to assist one. However, that does not in any way mean that you can simply point and click, and get meaningful results.
I'd use such a tool to perform the automatable drudge work. As mentioned before by various persons, that includes checking for trivial XSS, HTTP header injection, and SQL injection vulnerabilities.
I certainly wouldn't trust it to run without supervision (certainly not the FIRST time), and place reliance on its results. All results need to be checked for tool failures that could easily be confused for "pass" results. e.g. undetected session invalidation, account lockout, etc
That's one of the reasons that I don't try to do any automated analysis of the results generated by the WebScarab fuzzer. I *WANT* the operator to take a look at all of the responses, and make up their own minds. The value of the Fuzzer is really to automate the repetitive "try this string in this parameter", in all possible permutations, so that the user does not have to do all the clicks and typing themselves. But analysing the results should be a job for a human.
Someone who *knows* what they are looking at. IMO. Rogan
On 01/08/06, Arian J. Evans <arian.evans () anachronic com> wrote:> -----Original Message----- > From: Mandeep Khera [mailto:mandeep () cenzic com] > > I am sorry to hear that you perceive some problems with our > product. We take pride in being the most accurate product > with least amount of false positives in the industry. This > has been proven in many bake-offs by customers and > independent journalists. Hate to take this a little off topic, but do you have any facts that can support or back up these claims? Any data produced by anyone competent that speaks to your "false positives" and also your "false negatives"? I have failed to read a review yet to date that contains useful information. So far what I've read varies from useless data organized around features like "reflective buttons" (e.g.-the Acunetix review posted to this list written by some woman who writes windows software articles) to the other extreme of uninformed opinion and inability to keep features between the products straight (secure enterprise computing review). This includes infosec magazine and online reviews, bake-offs, and Gartner-style evals. Every one I have read so far is garbage. Not one covers actual tests run & and the how & why around them. This situation is no doubt due to the utter lack of skill and understanding of the subject on the part of the authors. However, I think all on this list would welcome information of a high-quality nature regarding scanner quality, if you have anything like that to point us at. -ae ------------------------------------------------------------------------- Sponsored by: Watchfire Do you test web applications for XSS, SQL Injections, Buffer Overflows, Logical issues and other web application security threats? Why not automate this work with Watchfire's AppScan, the world's leading automated web application scanner. Download AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701300000008BP9--------------------------------------------------------------------------
------------------------------------------------------------------------- Sponsored by: WatchfireDo you test web applications for XSS, SQL Injections, Buffer Overflows, Logical issues and other web application security threats? Why not automate this work with Watchfire's AppScan, the world's leading automated web application scanner. Download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701300000008BP9 --------------------------------------------------------------------------
Current thread:
- OS XSS and SQL scanner Cherian Thomas (Jul 31)
- Re: OS XSS and SQL scanner Dean H. Saxe (Jul 31)
- <Possible follow-ups>
- RE: OS XSS and SQL scanner Mandeep Khera (Jul 31)
- RE: OS XSS and SQL scanner Arian J. Evans (Aug 01)
- Re: OS XSS and SQL scanner Dean H. Saxe (Aug 02)
- Re: OS XSS and SQL scanner Rory McCune (Aug 02)
- Message not available
- Re: OS XSS and SQL scanner Dean H. Saxe (Aug 02)
- RE: OS XSS and SQL scanner Arian J. Evans (Aug 01)
- Re: OS XSS and SQL scanner Eoin (Aug 02)
- Re: OS XSS and SQL scanner Rogan Dawes (Aug 02)
- Re: OS XSS and SQL scanner Devdas Bhagat (Aug 02)
- RE: OS XSS and SQL scanner Burke, Charles (Aug 02)