[WEB SECURITY] Need a vulnerable XML Web Service

Shlomi Narkolayev shlominar at gmail.com
Thu Jun 10 03:42:23 EDT 2010


I tend to agree with you, but think of it this way: Because of these reasons
there is always room for the little and the quicker ones in the security

I think companies that developing scanning tools (NT OBJECTives, IBMs'
Appscan, Acunetix, White Hats' Sentinel, HP's Web Inspect, Cenzics’* **
Hailstorm*, Etc) need to invest (Money, Time, Research!) in the Engine as
they invest in the functionality of the product.


*In today's scanners, I see three main problems:*

1) Very high FP (More then 50%).

2) Lack of serious exploitation functionality (of course, this module could
significantly improve the first problem).

3) The *greatest *problem: Current scanners have very few attack signatures
that really can bypass filters and WAFs.

Just for comparison, attacks like: XSS, SQLi, RFI, OSi, Directory Traversal,
and many others can have more than 1000 attack signatures for each type of
attack I described above, and current scanners have only about 4-20 attack
signatures for each type of attack.

This situation is good for us (the researches), we need continue our
researches and make a "better place” for the security technology - It
means Enlarge
ours attack signatures lists ;-)

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com

On Thu, Jun 10, 2010 at 2:08 AM, Andre Gironda <andreg at gmail.com> wrote:

> On Wed, Jun 9, 2010 at 2:24 PM, Jim Manico <jim at manico.net> wrote:
> > Do you think raw scanning engine technology has hit a plateau? Or could
> it be that the cost to innovate scanning engines beyond today's state of the
> art is getting prohibitive?
> Jim,
> Do you think investors of research projects for commercial app
> scanners should continue their current strategy, or should it be
> changed?
> If you were responsible for scan engine technology for an app scanner
> at one of the following companies, would you invest in the current
> model -- or would you try something completely different such as
> Fortify's approach with PTA and RTA?
> HP Software
> IBM Watchfire
> Acunetix
> Cenzic
> Qualys
> WhiteHat Security
> These vendors, IMO, have all failed to deliver quality products that
> constantly push the envelope. Instead, their "scan engine technology"
> is all but replaced by cheap ($200-$3000/year/person, unlimited use)
> products such as Burp Suite Professional and Mavituna Security
> Netsparker Pro.
> Look at the Wivet (wivet.googlecode.com) results. Look at the
> SQLiBENCH (sqlibench.googlecode.com) results. Run all of those
> scanners in crawl-only mode through Casaba x5s and see how many HTML
> injections you get from one scanner to the next. Guess who comes out
> on top? The cheapest commercial products, especially Burp Suite Pro
> and Netsparker Pro. To add to that fire, Burp Suite Free Edition and
> Netsparker Community Edition also blow the other commercial products
> away.
> What else is left to say? The free scanning engines (that are tied to
> the cheapest products in the appsec space) are better than the
> expensive, commercial scanning engines. The above 7 vendors can't and
> won't get their acts together. They have had their time. That time is
> now over.
> Thoughts?
> Andre
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
> the confirmation email
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/b56541c4/attachment.html>

More information about the websecurity mailing list