[WEB SECURITY] Need a vulnerable XML Web Service

Shlomi Narkolayev shlominar at gmail.com
Thu Jun 10 04:11:36 EDT 2010


Unfortunately I disagree; I think a good scanner should also have
capabilities to bypass systems' filtering mechanisms like simple
filter/Regex and WAFs.

Kind Regards,
Narkolayev Shlomi.

Visit my blog: http://Narkolayev-Shlomi.blogspot.com


On Thu, Jun 10, 2010 at 10:56 AM, Ory Segal <SEGALORY at il.ibm.com> wrote:

> Hi,
>
> I cannot attest for other companies in this market, but as for IBM, I can
> assure you that we are constantly working on developing new capabilities and
> improving our scanning engine.
>
> With regards to bypassing WAFs, I believe that this is somehow low
> priority, because most of our customers use the product in testing
> environments, and not in production, hence the need to bypass WAFs is
> irrelevant.
>
> -Ory
> *-------------------------------------------------------------**
> Ory Segal
> Security Products Architect*
> *AppScan Product Manager*
> Rational, Application Security
> IBM Corporation
> Tel: +972-9-962-9836
> Mobile: +972-54-773-9359
> e-mail: *segalory at il.ibm.com* <segalory at il.ibm.com>
>
>
>
>
> From:        Shlomi Narkolayev <shlominar at gmail.com>
> To:        Andre Gironda <andreg at gmail.com>
> Cc:        websecurity at webappsec.org, Jim Manico <jim at manico.net>, Ory
> Segal/Haifa/IBM at IBMIL, 7Lyrix <7lyrix at gmail.com>, "Arian J. Evans" <
> arian.evans at anachronic.com>, Arshan Dabirsiaghi <
> arshan.dabirsiaghi at aspectsecurity.com>, Nilesh Bhosale <nilesh at gslab.com>,
> Tom Stripling <tstripling at appsecconsulting.com>
> Date:        10-06-2010 10:42 AM
> Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service
> ------------------------------
>
>
>
> Hey,
>
> I tend to agree with you, but think of it this way: Because of these
> reasons there is always room for the little and the quicker ones in the
> security field.
>
> I think companies that developing scanning tools (NT OBJECTives, IBMs'
> Appscan, Acunetix, White Hats' Sentinel, HP's Web Inspect, Cenzics’* *
> Hailstorm, Etc) need to invest (Money, Time, Research!) in the Engine as
> they invest in the functionality of the product.
>
> *In today's scanners, I see three main problems:*
>
> 1) Very high FP (More then 50%).
>
> 2) Lack of serious exploitation functionality (of course, this module could
> significantly improve the first problem).
>
> 3) The *greatest** *problem: Current scanners have very few attack
> signatures that really can bypass filters and WAFs.
>
> Just for comparison, attacks like: XSS, SQLi, RFI, OSi, Directory
> Traversal, and many others can have more than 1000 attack signatures for
> each type of attack I described above, and current scanners have only about
> 4-20 attack signatures for each type of attack.
>
>
>
> This situation is good for us (the researches), we need continue our
> researches and make a "better place” for the security technology - It means
> Enlarge ours attack signatures lists ;-)
>
>
> Kind Regards,
> Narkolayev Shlomi.
>
> Visit my blog: *http://Narkolayev-Shlomi.blogspot.com*<http://narkolayev-shlomi.blogspot.com/>
>
>
> On Thu, Jun 10, 2010 at 2:08 AM, Andre Gironda <*andreg at gmail.com*<andreg at gmail.com>>
> wrote:
> On Wed, Jun 9, 2010 at 2:24 PM, Jim Manico <*jim at manico.net*<jim at manico.net>>
> wrote:
> > Do you think raw scanning engine technology has hit a plateau? Or could
> it be that the cost to innovate scanning engines beyond today's state of the
> art is getting prohibitive?
>
> Jim,
>
> Do you think investors of research projects for commercial app
> scanners should continue their current strategy, or should it be
> changed?
>
> If you were responsible for scan engine technology for an app scanner
> at one of the following companies, would you invest in the current
> model -- or would you try something completely different such as
> Fortify's approach with PTA and RTA?
>
> HP Software
> IBM Watchfire
> Acunetix
> NTOBJECTives
> Cenzic
> Qualys
> WhiteHat Security
>
> These vendors, IMO, have all failed to deliver quality products that
> constantly push the envelope. Instead, their "scan engine technology"
> is all but replaced by cheap ($200-$3000/year/person, unlimited use)
> products such as Burp Suite Professional and Mavituna Security
> Netsparker Pro.
>
> Look at the Wivet (*wivet.googlecode.com* <http://wivet.googlecode.com/>)
> results. Look at the
> SQLiBENCH (*sqlibench.googlecode.com* <http://sqlibench.googlecode.com/>)
> results. Run all of those
> scanners in crawl-only mode through Casaba x5s and see how many HTML
> injections you get from one scanner to the next. Guess who comes out
> on top? The cheapest commercial products, especially Burp Suite Pro
> and Netsparker Pro. To add to that fire, Burp Suite Free Edition and
> Netsparker Community Edition also blow the other commercial products
> away.
>
> What else is left to say? The free scanning engines (that are tied to
> the cheapest products in the appsec space) are better than the
> expensive, commercial scanning engines. The above 7 vendors can't and
> won't get their acts together. They have had their time. That time is
> now over.
>
> Thoughts?
>
> Andre
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: *irc.freenode.net* <http://irc.freenode.net/> #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:*
> **http://www.webappsec.org/lists/websecurity/archive/*<http://www.webappsec.org/lists/websecurity/archive/>
>
> Subscribe via RSS:*
> **http://www.webappsec.org/rss/websecurity.rss*<http://www.webappsec.org/rss/websecurity.rss>[RSS Feed]
>
> To unsubscribe email *websecurity-unsubscribe at webappsec.org*<websecurity-unsubscribe at webappsec.org>and reply to
> the confirmation email
>
> Join WASC on LinkedIn*
> **http://www.linkedin.com/e/gis/83336/4B20E4374DBA*<http://www.linkedin.com/e/gis/83336/4B20E4374DBA>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/82643103/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2359 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/82643103/attachment.gif>


More information about the websecurity mailing list