[WEB SECURITY] Need a vulnerable XML Web Service

Andre Gironda andreg at gmail.com
Thu Jun 10 04:16:43 EDT 2010

On Thu, Jun 10, 2010 at 2:58 AM, Ory Segal <SEGALORY at il.ibm.com> wrote:
> Again, I cannot talk in behalf of other vendors, but I know that our own product, doesn't only crawl the application and generate test cases blindly, but actually probes each entry point, and decides what kinds of vulnerabilities should be tested, accordingly.

Of course your product does this, but that's not exactly my point.

> If you think about it, proper crawling coverage, and correct analysis of the traffic, HTML and HTTP, is the basis for application security testing. Without proper coverage, you cannot find all of the entry points, that need to be tested.

Yes, but how does a black-box tool measure coverage? It can't!

The app scanner is only going to know about the angles of attack that
the tester drives it with. If there is a part of the app that does an
Ajax proxy (or whatever) over to lalaland.com and the tester has no
idea about lalaland.com, there is a whole portion of the app that
isn't being tested. There are higher-order injections that can come
from entry points that are not HTTP/TLS in many "real world" apps.

When you can feed a threat-model into an application security testing
tool -- then and only then will any sort of testing automation
actually be useful.

Test automation from an SQE or dev-tester perspective is expensive and
almost always unwarranted.

The important things to know are who (or what) is doing what to the
app and where. A large-user beta test is going to weed out more
functionality and usability bugs than any automation at a much cheaper
cost. How do we do the same thing for security bugs? I have ideas
about how to do this that transcend all of this chatter about app
scanners and how well they did in the last Larry Suto report.

Focus on the parts of my email threads where I talk about the good
things instead of the bad things. You see "app scanners" suck and feel
the need to defend. Instead you should be asking yourself about what
is really going on, why is Andre saying these things, etc. I just
shrug off the whole "real world" comments. Sure, more than half of
what I'm talking about is theoretical, but it's mirrored in the
quality testing industry, which has been around a lot longer than the
security testing industry.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn

More information about the websecurity mailing list