Re: Web Application Source Vulnerability Scanners

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IMHO, there is no "silver bullet." My "toolkit" utilizes many applications, open source and commercial when validating an application/website. I have looked at many programs that proclaim to be the "best of breed," but every single one of them have short comings, and every single one of them report false positives and negatives.

As in the mechanic world, having a 9/16 (14[.28] mm) wrench will assure compatibility with about 20% of the bolts installed on autos, it takes a tool box full of wrenches to completely disassemble an auto.

The bottom line is that it takes a keen eye, experience, and a "gut feeling" to properly validate the results returned by ANY scanner.

-- 


Toby Barrick
Advisory Software Engineer
AXP Out-Tasking Relationship
IBM Global Services
E-commerce Security
Phone 602-766-2410
Cell 602-790-5438
Fax 480-940-9199
e-Mail:
IBM - tnbarric@us.ibm.com
AMEX - Internet-Security@aexp.com
Personal - tbarrick@cox.net

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1

iQA/AwUBPkBTtaCZ55oPBRfIEQIQtACdEeFMxo31Xx+37MgCe3vA2QzZ6H4An3JR
EE4P8UUcvkhKZr8DCvr26yoS
=8VV5
-----END PGP SIGNATURE-----

Brass, Phil (ISS Atlanta) wrote:

> When you say most, I'm guessing you're excluding at least Spike Proxy,


>>-----Original Message-----
>>From: Ory Segal [mailto:ory.segal@sanctuminc.com] 
>>Sent: Tuesday, March 04, 2003 10:25 AM
>>To: webappsec@securityfocus.com
>>Subject: RE: Web Application Source Vulnerability Scanners
>>
>>
>>Hi,
>>
>>The problem with most open source tools is that they are very 
>>strong in 
>>CGI Scanning, but when it comes to mutating real HTTP requests, and 
>>testing the web application layer, they lack good engine 
>>features. They 
>>do not have features such as:
>>1) Application level tests such as manipulation of : HTML form 
>>parameters (SQL Inj., Buffer Overflows, Poison null byte, 
>>Format strings 
>>bugs, Cookies, HTTP Headers etc...)

> 

> 

> It's in there, though not as comprehensive as the commercial tools.


>>2) Automatic testing validation.

> 

> 

> Not sure what this means?


>>3) Good reporting abilities

> 

> 

> I don't think it has any reporting capabilities at all?


>>4) Session management/Transient management - Keeping the scanner 'in 
>>session'. This gives you the ability to scan web applications 
>>that force 
>>you to login, and may kick you out of session, if you caused 
>>some error 
>>- I believe that most large web apps have this. I believe 
>>that AppScan 
>>is the only scanner to perform this action.

> 

> 

> Since it's mainly a proxy, your browser keeps it in session.  For the


>>5) Good performance

> 

> 

> Kinda hard to quantify.  I would say Spike proxy has average performance


>>6) Contstant updates.

> 

> 

> There was a while there where you couldn't go two days without seeing


>>7) Logging of raw HTTP traffic

> 

> 

> It's in there.

> 

> 

>>8) The ability to easily implement new tests.

> 

> 

> VulnXML support for implementing your own checks in a