WebApp Sec mailing list archives
Re: [WEB SECURITY] RE: Web Application Scanners Comparison
From: bugtraq () cgisecurity net
Date: Wed, 28 Jan 2009 13:24:52 -0500 (EST)
There's some additional discussion on methodology at http://www.cgisecurity.com/2009/01/web-application-scanners-comparison.html - Robert http://www.cgisecurity.com/ Web site and application security news. http://www.webappsec.org/ The Web Application Security Consortium
------=_NextPart_000_0018_01C98139.BB736270 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable All, One of the things I've preached (whether anyone listens or not) is = that the efficiency of the crawler is a terrible way to test the = effectiveness of a web application security scanner. There are many = tools tests that have been conducted that seem to base the entire = foundation of the test based on the methodology of 1) input URL, 2) = click "GO", 3) review results... that's an absolutely abismal test base. I understand that a crawler is an integral part of the web app = security scanner - but I strongly feel that the crawler and the scanner = engine are two very, very different things. A proper vuln scanner = engine test would manually provide input for which sections of an = application are to be tested, and then, and only then, push the GO = button. I know some of you disagree - but maybe we can get some intelligent = discourse around this? __ Rafal M. Los Security & IT Risk Strategist - Blog: http://preachsecurity.blogspot.com - LinkedIn: http://www.linkedin.com/in/rmlos From: Albert=20 Sent: Wednesday, January 28, 2009 12:57 AM To: r () fuckthespam com=20 Cc: pen-test () securityfocus com ; webappsec () securityfocus com ; = websecurity () webappsec org=20 Subject: [WEB SECURITY] RE: Web Application Scanners Comparison I agree completely - the author seems to have no credentials which = justify being in any position to perform testing of any sort,=20 the whole "black magic" atmosphere and arrogant attitude is more than = suspicious. ------=_NextPart_000_0018_01C98139.BB736270 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3Dtext/html;charset=3Dutf-8> <META content=3D"MSHTML 6.00.6001.18183" name=3DGENERATOR></HEAD> <BODY id=3DMailContainerBody=20 style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"=20 bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true"=20 name=3D"Compose message area"> <DIV><FONT face=3DArial size=3D2>All,</FONT></DIV> <DIV> <FONT face=3DArial size=3D2>One of the = things I've=20 preached (whether anyone listens or not) is that the efficiency of the = crawler=20 is a terrible way to test the effectiveness of a web application = security=20 scanner. There are many tools tests that have been conducted that = seem to=20 base the entire foundation of the test based on the methodology of 1) = input URL,=20 2) click "GO", 3) review results... that's an absolutely abismal test=20 base.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV> <FONT face=3DArial size=3D2>I understand = that a crawler=20 is an integral part of the web app security scanner - but I strongly = feel that=20 the crawler and the scanner engine are two very, very different = things. A=20 proper vuln scanner engine test would manually provide input for which = sections=20 of an application are to be tested, and then, and only then, push the GO = button.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV> <FONT face=3DArial size=3D2>I know some of = you disagree=20 - but maybe we can get some intelligent discourse around=20 this?</FONT></DIV><STRONG><FONT face=3DTahoma size=3D2> <DIV><BR>__<BR>Rafal M. Los<BR>Security & IT Risk Strategist</DIV> <DIV> </DIV> <DIV> - Blog: <A=20 title=3D"http://preachsecurity.blogspot.com CTRL + Click to follow = link"=20 href=3D"http://preachsecurity.blogspot.com">http://preachsecurity.blogspo= t.com</A><BR> -=20 LinkedIn: <A=20 href=3D"http://www.linkedin.com/in/rmlos">http://www.linkedin.com/in/rmlo= s</A></FONT></STRONG></DIV> <BLOCKQUOTE=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt Tahoma"> <DIV style=3D"font-color: black"><B>From:</B> <A = title=3Dcaruabertu () gmail com=20 href=3D"mailto:caruabertu () gmail com">Albert</A> </DIV> <DIV><B>Sent:</B> Wednesday, January 28, 2009 12:57 AM</DIV> <DIV><B>To:</B> <A title=3Dr () fuckthespam com=20 href=3D"mailto:r () fuckthespam com">r () fuckthespam com</A> </DIV> <DIV><B>Cc:</B> <A title=3Dpen-test () securityfocus com=20 = href=3D"mailto:pen-test () securityfocus com">pen-test () securityfocus com</A>= ; <A=20 title=3Dwebappsec () securityfocus com=20 = href=3D"mailto:webappsec () securityfocus com">webappsec () securityfocus com</= A> ; <A=20 title=3Dwebsecurity () webappsec org=20 = href=3D"mailto:websecurity () webappsec org">websecurity () webappsec org</A> = </DIV> <DIV><B>Subject:</B> [WEB SECURITY] RE: Web Application Scanners=20 Comparison</DIV></DIV> <DIV><BR></DIV>I agree completely - the author seems to have no = credentials=20 which justify being in any position to perform testing of any sort, = <BR>the=20 whole "black magic" atmosphere and arrogant attitude is more than=20 suspicious.<BR><BR></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0018_01C98139.BB736270--
------------------------------------------------------------------------- Sponsored by: Watchfire Methodologies & Tools for Web Application Security Assessment With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F -------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] RE: Web Application Scanners Comparison bugtraq (Jan 28)
- <Possible follow-ups>
- RE: [WEB SECURITY] RE: Web Application Scanners Comparison Martin O'Neal (Jan 28)