WebApp Sec mailing list archives
RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
From: "Enis Karaarslan" <enis.karaarslan () ege edu tr>
Date: Thu, 24 Aug 2006 16:46:48 +0200
Well, the phrase is fom it's "collector". The applications are samples of blog, buletin board, ...etc. Ofcourse they should'nt be used as they are in "real life" implementations. It can happen that a patch isn't timely published. Also in enterprise networks, it's sometimes possible that a web server is managed by some other administrator and not updated timely. For a security lab, no patches should be applied. Well, in a lab environment, I keep them as they are. They can be put in a honeypot also to see what happens :) Enis
"Real-life" programs meaning applications intended for actual use, not just for security benchmarking? Wouldn't you want to fix the vulns you find in those, thereby ruining their value as benchmarks? -----Original Message----- From: Enis Karaarslan [mailto:enis.karaarslan () ege edu tr] Sent: Thu 8/24/2006 3:08 AM To: Evans, Arian; rwp () gmx de Cc: websecurity () webappsec org; webappsec () securityfocus com Subject: Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Hello all, I am currently working on web/web application security issues in enterprise networks as an academic study. I think, the fundamental problem (especially in campus networks), there is usually no "network awareness". In enterprise networks, hundreds of different web servers and different web applications can be present, where usually nobody knows detailed info about web servers and applications running on them. Maybe most of you know, For security testing environment there is Stanford Securibench, which is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java. http://suif.stanford.edu/~livshits/securibench/ There are many web/ web application security scanners. If anyone intrested in this subject and also for a joint work, s/he is always welcome. Enis Karaarslan Ege UniversityI added the WASC list, since many folks there are sensitive to this same subject.-----Original Message----- From: René Palige [mailto:rwp () gmx de] I?m currently working on my bachelor thesis which is about the development of a testsuite for different Web Application Security Scanners. My goal is to provide an environmentThis, I discovered, was very challenging. When I post the OWASP Tools v3, one section of it is going to be about my trials and tribulations, mistakes, misfires and general stupidity in trying to scientifically, systematically evaluate tools, which culminated in the HEWA2 book. No one has done a good job at this, most reviews are just plain crap (sorry, everyone, it's the truth; if there's a good review to defend please step up to the plate). I have been holding off releasing v3 (which is a narrative doc) until I can put it out for peer review before making a final, hard, PDF. (should I just post to the list and let everyone chime in?...I'm afraid to do this b/c some of it is _not_nice_) I hope someone will wikify the end product.I?m planning to use OWASPs WebGoat as some kind of groundwork.Not bad, but you will need more. Unless your thesis is "how effectively do webappscanner vendors code to detect issues in WebGoat?"Would it be best to focus on "real-life scenarios"?That's what I fell upon. It's a bit more realistic. You get no tautology from the scanner vendors. You get real use-case scenarios, and a story to tell.Or rather to cover as many aspects of a special class of vulnerabilities as possible?This, also, I tackled, and have an evolving-complexity XSS generator; I have a couple of types now and continue to add more as time permits, and it is use specifically to generate XSS-vuln pages of varying filter/encoding complexity. It really should be in SiteGenerator (owasp.net) but it helps me make sure I'm not misunderstanding something to force myself to write complicated mistakes out by hand. :) Maybe I'll just rip the scanner eval story and post just that. Very cool, we need some smart grad work here. Arian J. Evans
----------------------------------------------------------------------------
The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
----------------------------------------------------------------------------
The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB -------------------------------------------------------------------------- ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB --------------------------------------------------------------------------
Current thread:
- RE: Environment for testing WebApp Security Scanners, (continued)
- RE: Environment for testing WebApp Security Scanners Mark Curphey (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners c0redump (Aug 09)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 09)
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)
- Message not available
- Message not available
- RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners Enis Karaarslan (Aug 24)