[WEB SECURITY] In depth security scanning versus breadth based

Andres Riancho andres.riancho at gmail.com
Tue Jul 7 21:49:02 EDT 2009


Robert,

On Tue, Jul 7, 2009 at 9:14 PM, <robert at webappsec.org> wrote:
> Hello Everyone,
>
> Many automated tools are great at crawling/attacking every url they discover, however fail to properly visit URL sequences
> in order. For example you must complete a 5 page process to get to the functionality on page 6. Certain commercial products
> support 'macro's' where you can record those 'url sequences' in order and can later audit them in order. What are the lists
> experiences with getting blackbox tools to perform this depth of review in a pre/post production environment?
>
> If you plan on replying with one of the following replies you will be ignored! :)
> - Debating the types of attacks/weaknesses tools are good at finding
> - Debating source code/sca analysis vs blackbox
> - Pitching your product/service

I think that it's almost impossible to automatically create a 100%
accurate model to analyze web applications using a black-box approach.
For simple web applications with no "wizard-like" logic, this might be
achieved... but when the application starts to get more complex, IMHO
you've got two ways to go:

- Create a really complex model manually, that your web app scanner
needs to understand, and knows how to fuzz. Which is a hard task to
perform, and even if you want to do it... the scanner could limit your
model in SO MANY WAYS...

- Throw away the scanner, and perform manual testing, which is the
only real way in which you'll be sure that all the web application
vulnerabilities are being found. With this, I'm not saying that
scanners are useless! Damn... I write one in my spare time! What I'm
saying is that when the web application gets really, really complex...
the only way to test it properly is by hand.

Which is basically great, because all of us will have lots of work
testing web applications for at least 5 more years ;)

My two cents,

> Regards,
> - Robert A.
> http://www.cgisecurity.com/ Application Security news, and more
> http://www.webappsec.org/ WASC Co Founder and Moderator of The Web Security Mailing List
> http://www.qasec.com/ Software Security Testing in QA and Development
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
Andrés Riancho
Founder, Bonsai - Information Security
http://www.bonsai-sec.com/
http://w3af.sf.net/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list