[WEB SECURITY] RE: Web Application Scanners Comparison

Rafal @ IsHackingYou.com rafal at ishackingyou.com
Wed Jan 28 12:15:26 EST 2009


All,
    One of the things I've preached (whether anyone listens or not) is that the efficiency of the crawler is a terrible way to test the effectiveness of a web application security scanner.  There are many tools tests that have been conducted that seem to base the entire foundation of the test based on the methodology of 1) input URL, 2) click "GO", 3) review results... that's an absolutely abismal test base.

    I understand that a crawler is an integral part of the web app security scanner - but I strongly feel that the crawler and the scanner engine are two very, very different things.  A proper vuln scanner engine test would manually provide input for which sections of an application are to be tested, and then, and only then, push the GO button.

    I know some of you disagree - but maybe we can get some intelligent discourse around this?

__
Rafal M. Los
Security & IT Risk Strategist

 - Blog:         http://preachsecurity.blogspot.com
 - LinkedIn:  http://www.linkedin.com/in/rmlos
  From: Albert 
  Sent: Wednesday, January 28, 2009 12:57 AM
  To: r at fuckthespam.com 
  Cc: pen-test at securityfocus.com ; webappsec at securityfocus.com ; websecurity at webappsec.org 
  Subject: [WEB SECURITY] RE: Web Application Scanners Comparison


  I agree completely - the author seems to have no credentials which justify being in any position to perform testing of any sort, 
  the whole "black magic" atmosphere and arrogant attitude is more than suspicious.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090128/d647f3fb/attachment.html>


More information about the websecurity mailing list