WebApp Sec mailing list archives
Re: Environment for testing WebApp Security Scanners
From: "Dean H. Saxe" <dean () fullfrontalnerdity com>
Date: Tue, 8 Aug 2006 20:01:36 -0400
Then why haven't the tool vendors gone down that path? They are marketing to the lowest common denominator. People who want to check a box and say "I'm secure!"
Granted, web app scanners can be used as part of a secure SDLC, but I'd venture to guess that the vast majority of organizations don't implement them within an S-SDLC. Most probably don't ever do a follow-up with a manual pen test.
-dhs Dean H. Saxe, CISSP, CEH dean () fullfrontalnerdity com"To announce that there must be no criticism of the president, or that we are to stand by the president right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public."
-- Theodore Roosevelt On Aug 8, 2006, at 7:25 PM, mikeiscool wrote:
On 8/9/06, Dean H. Saxe <dean () fullfrontalnerdity com> wrote:Just remember, some vendors put in signatures specifically for apps like this that they know will be tested. I spoke with some folks at Blackhat last week from one of the tool vendors that admitted they don't find all the vulnerabilities in HacmeBank. Why? Because bypassing the login form using SQL injection may require you to throw away the cookies which maintain the login attempts state information. For instance, if you try SQL injection too many times and fail to login with those attempts, a cookie which controls the remaining number of login attempts will force all further attempts to fail. Of course, a human would delete the login attempt counter cookie and solve the problem quite simply. I see this as a major weakness of these types of tools. Developers store all kinds of crap in cookies, without a good analysis of the cookies by a human, how do we know when deleting this information will adversely affect the application's security? This is not an edge case where such tools scan. Its a very commonly revealed vulnerability in my web app pen testing and code review experience. (FWIW I work for Foundstone.)Surely it'd be trivial to have a cookie specification field of the scanning tool. The person doing the scanning could review the cookie and spec it up a bit. Then the tool could be a bit context aware, at least of cookies, and watch when fields it may be interested in changes. I.e. you could draw links between cookie items and pages, or cookie items and request fields, etc, etc, etc. The tool could start to learn common cookie forms and use that to help suggest what various fields might be.-dhs Dean H. Saxe, CISSP, CEH dean () fullfrontalnerdity com Here in America everything is bought and sold, you can get anything for little bits of gold. We'll rape the earth and ruin the air, cut down every tree from here to there. -- Donna The Buffalo "America"-- mic
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
Current thread:
- Environment for testing WebApp Security Scanners René Palige (Aug 07)
- RE: Environment for testing WebApp Security Scanners Mark Curphey (Aug 08)
- Re: Environment for testing WebApp Security Scanners Roman H. (Aug 08)
- RE: Environment for testing WebApp Security Scanners Brokken, Allen P. (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners Gerald Quakenbush (Aug 08)
- RE: Environment for testing WebApp Security Scanners Mark Curphey (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners c0redump (Aug 09)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 09)
- <Possible follow-ups>
- RE: Environment for testing WebApp Security Scanners Evans, Arian (Aug 23)
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)
- Message not available
- Message not available
- RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners René Palige (Aug 24)
- Message not available
- Message not available
- RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners René Palige (Aug 24)