[WEB SECURITY] RE: Web Application Scanners Comparison

bugtraq at cgisecurity.net bugtraq at cgisecurity.net
Wed Jan 28 13:24:52 EST 2009


There's some additional discussion on methodology at
http://www.cgisecurity.com/2009/01/web-application-scanners-comparison.html

- Robert
http://www.cgisecurity.com/ Web site and application security news.
http://www.webappsec.org/ The Web Application Security Consortium

> 
> ------=_NextPart_000_0018_01C98139.BB736270
> Content-Type: text/plain;
> 	charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> 
> All,
>     One of the things I've preached (whether anyone listens or not) is =
> that the efficiency of the crawler is a terrible way to test the =
> effectiveness of a web application security scanner.  There are many =
> tools tests that have been conducted that seem to base the entire =
> foundation of the test based on the methodology of 1) input URL, 2) =
> click "GO", 3) review results... that's an absolutely abismal test base.
> 
>     I understand that a crawler is an integral part of the web app =
> security scanner - but I strongly feel that the crawler and the scanner =
> engine are two very, very different things.  A proper vuln scanner =
> engine test would manually provide input for which sections of an =
> application are to be tested, and then, and only then, push the GO =
> button.
> 
>     I know some of you disagree - but maybe we can get some intelligent =
> discourse around this?
> 
> __
> Rafal M. Los
> Security & IT Risk Strategist
> 
>  - Blog:         http://preachsecurity.blogspot.com
>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>   From: Albert=20
>   Sent: Wednesday, January 28, 2009 12:57 AM
>   To: r at fuckthespam.com=20
>   Cc: pen-test at securityfocus.com ; webappsec at securityfocus.com ; =
> websecurity at webappsec.org=20
>   Subject: [WEB SECURITY] RE: Web Application Scanners Comparison
> 
> 
>   I agree completely - the author seems to have no credentials which =
> justify being in any position to perform testing of any sort,=20
>   the whole "black magic" atmosphere and arrogant attitude is more than =
> suspicious.
> 
> 
> ------=_NextPart_000_0018_01C98139.BB736270
> Content-Type: text/html;
> 	charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=3DContent-Type content=3Dtext/html;charset=3Dutf-8>
> <META content=3D"MSHTML 6.00.6001.18183" name=3DGENERATOR></HEAD>
> <BODY id=3DMailContainerBody=20
> style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"=20
> bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true"=20
> name=3D"Compose message area">
> <DIV><FONT face=3DArial size=3D2>All,</FONT></DIV>
> <DIV>    <FONT face=3DArial size=3D2>One of the =
> things I've=20
> preached (whether anyone listens or not) is that the efficiency of the =
> crawler=20
> is a terrible way to test the effectiveness of a web application =
> security=20
> scanner.  There are many tools tests that have been conducted that =
> seem to=20
> base the entire foundation of the test based on the methodology of 1) =
> input URL,=20
> 2) click "GO", 3) review results... that's an absolutely abismal test=20
> base.</FONT></DIV>
> <DIV><FONT face=3DArial size=3D2></FONT> </DIV>
> <DIV>    <FONT face=3DArial size=3D2>I understand =
> that a crawler=20
> is an integral part of the web app security scanner - but I strongly =
> feel that=20
> the crawler and the scanner engine are two very, very different =
> things.  A=20
> proper vuln scanner engine test would manually provide input for which =
> sections=20
> of an application are to be tested, and then, and only then, push the GO =
> 
> button.</FONT></DIV>
> <DIV><FONT face=3DArial size=3D2></FONT> </DIV>
> <DIV>    <FONT face=3DArial size=3D2>I know some of =
> you disagree=20
> - but maybe we can get some intelligent discourse around=20
> this?</FONT></DIV><STRONG><FONT face=3DTahoma size=3D2>
> <DIV><BR>__<BR>Rafal M. Los<BR>Security & IT Risk Strategist</DIV>
> <DIV> </DIV>
> <DIV> - Blog:         <A=20
> title=3D"http://preachsecurity.blogspot.com
CTRL + Click to follow =
> link"=20
> href=3D"http://preachsecurity.blogspot.com">http://preachsecurity.blogspo=
> t.com</A><BR> -=20
> LinkedIn:  <A=20
> href=3D"http://www.linkedin.com/in/rmlos">http://www.linkedin.com/in/rmlo=
> s</A></FONT></STRONG></DIV>
> <BLOCKQUOTE=20
> style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
> BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
>   <DIV style=3D"FONT: 10pt Tahoma">
>   <DIV style=3D"font-color: black"><B>From:</B> <A =
> title=3Dcaruabertu at gmail.com=20
>   href=3D"mailto:caruabertu at gmail.com">Albert</A> </DIV>
>   <DIV><B>Sent:</B> Wednesday, January 28, 2009 12:57 AM</DIV>
>   <DIV><B>To:</B> <A title=3Dr at fuckthespam.com=20
>   href=3D"mailto:r at fuckthespam.com">r at fuckthespam.com</A> </DIV>
>   <DIV><B>Cc:</B> <A title=3Dpen-test at securityfocus.com=20
>   =
> href=3D"mailto:pen-test at securityfocus.com">pen-test at securityfocus.com</A>=
>  ; <A=20
>   title=3Dwebappsec at securityfocus.com=20
>   =
> href=3D"mailto:webappsec at securityfocus.com">webappsec at securityfocus.com</=
> A> ; <A=20
>   title=3Dwebsecurity at webappsec.org=20
>   =
> href=3D"mailto:websecurity at webappsec.org">websecurity at webappsec.org</A> =
> </DIV>
>   <DIV><B>Subject:</B> [WEB SECURITY] RE: Web Application Scanners=20
>   Comparison</DIV></DIV>
>   <DIV><BR></DIV>I agree completely - the author seems to have no =
> credentials=20
>   which justify being in any position to perform testing of any sort, =
> <BR>the=20
>   whole "black magic" atmosphere and arrogant attitude is more than=20
>   suspicious.<BR><BR></BLOCKQUOTE></BODY></HTML>
> 
> ------=_NextPart_000_0018_01C98139.BB736270--
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list