WebApp Sec mailing list archives
RE: Environment for testing WebApp Security Scanners
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Wed, 23 Aug 2006 16:54:52 -0500
I added the WASC list, since many folks there are sensitive to this same subject.
-----Original Message----- From: René Palige [mailto:rwp () gmx de] I?m currently working on my bachelor thesis which is about the development of a testsuite for different Web Application Security Scanners. My goal is to provide an environment
This, I discovered, was very challenging. When I post the OWASP Tools v3, one section of it is going to be about my trials and tribulations, mistakes, misfires and general stupidity in trying to scientifically, systematically evaluate tools, which culminated in the HEWA2 book. No one has done a good job at this, most reviews are just plain crap (sorry, everyone, it's the truth; if there's a good review to defend please step up to the plate). I have been holding off releasing v3 (which is a narrative doc) until I can put it out for peer review before making a final, hard, PDF. (should I just post to the list and let everyone chime in?...I'm afraid to do this b/c some of it is _not_nice_) I hope someone will wikify the end product.
I?m planning to use OWASPs WebGoat as some kind of groundwork.
Not bad, but you will need more. Unless your thesis is "how effectively do webappscanner vendors code to detect issues in WebGoat?"
Would it be best to focus on "real-life scenarios"?
That's what I fell upon. It's a bit more realistic. You get no tautology from the scanner vendors. You get real use-case scenarios, and a story to tell.
Or rather to cover as many aspects of a special class of vulnerabilities as possible?
This, also, I tackled, and have an evolving-complexity XSS generator; I have a couple of types now and continue to add more as time permits, and it is use specifically to generate XSS-vuln pages of varying filter/encoding complexity. It really should be in SiteGenerator (owasp.net) but it helps me make sure I'm not misunderstanding something to force myself to write complicated mistakes out by hand. :) Maybe I'll just rip the scanner eval story and post just that. Very cool, we need some smart grad work here. Arian J. Evans ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB --------------------------------------------------------------------------
Current thread:
- Re: Environment for testing WebApp Security Scanners, (continued)
- Re: Environment for testing WebApp Security Scanners Roman H. (Aug 08)
- RE: Environment for testing WebApp Security Scanners Brokken, Allen P. (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners Gerald Quakenbush (Aug 08)
- RE: Environment for testing WebApp Security Scanners Mark Curphey (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners c0redump (Aug 09)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 09)
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)
- Message not available
- Message not available
- RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)