[WEB SECURITY] Need a vulnerable XML Web Service

Neil Matatall nmatatall at attinteractive.com
Thu Jun 10 13:43:02 EDT 2010


I agree with Ory and I'd rather have the creators of these products spend time on other features (good Rails support, better REST support, etc).  I've always subscribed to making the app as secure as possible without a WAF, and then deploy the application behind a WAF.

IMO, bypassing WAFs would be much more beneficial to the WAF vendors and external pen testers than those actually using WAFs.  In my experience, most *useful* pen testing and assessments are performed internally with the external scans used mainly for box checking regarding compliance.  If you rely on your WAF and you only have external scanning, then this feature might be important.

Neil

On Jun 10, 2010, at 1:11 AM, Shlomi Narkolayev wrote:

> 
> Unfortunately I disagree; I think a good scanner should also have capabilities to bypass systems' filtering mechanisms like simple filter/Regex and WAFs.
> 
> 
> Kind Regards,
> Narkolayev Shlomi.
> 
> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
> 
> 
> On Thu, Jun 10, 2010 at 10:56 AM, Ory Segal <SEGALORY at il.ibm.com> wrote:
> Hi, 
> 
> I cannot attest for other companies in this market, but as for IBM, I can assure you that we are constantly working on developing new capabilities and improving our scanning engine. 
> 
> With regards to bypassing WAFs, I believe that this is somehow low priority, because most of our customers use the product in testing environments, and not in production, hence the need to bypass WAFs is irrelevant. 
> 
> -Ory 
> -------------------------------------------------------------
> Ory Segal
> Security Products Architect 
> AppScan Product Manager
> Rational, Application Security
> IBM Corporation
> Tel: +972-9-962-9836
> Mobile: +972-54-773-9359
> e-mail: segalory at il.ibm.com 
> <ATT00001..gif> 
> 
> 
> 
> From:        Shlomi Narkolayev <shlominar at gmail.com> 
> To:        Andre Gironda <andreg at gmail.com> 
> Cc:        websecurity at webappsec.org, Jim Manico <jim at manico.net>, Ory Segal/Haifa/IBM at IBMIL, 7Lyrix <7lyrix at gmail.com>, "Arian J. Evans" <arian.evans at anachronic.com>, Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>, Nilesh Bhosale <nilesh at gslab.com>, Tom Stripling <tstripling at appsecconsulting.com> 
> Date:        10-06-2010 10:42 AM 
> Subject:        Re: [WEB SECURITY] Need a vulnerable XML Web Service 
> 
> 
> 
> Hey,
> 
> I tend to agree with you, but think of it this way: Because of these reasons there is always room for the little and the quicker ones in the security field.
> 
> I think companies that developing scanning tools (NT OBJECTives, IBMs' Appscan, Acunetix, White Hats' Sentinel, HP's Web Inspect, Cenzics’ Hailstorm, Etc) need to invest (Money, Time, Research!) in the Engine as they invest in the functionality of the product.
> 
> 
> In today's scanners, I see three main problems:
> 
> 1) Very high FP (More then 50%).
> 
> 2) Lack of serious exploitation functionality (of course, this module could significantly improve the first problem).
> 
> 3) The greatest problem: Current scanners have very few attack signatures that really can bypass filters and WAFs.
> 
> Just for comparison, attacks like: XSS, SQLi, RFI, OSi, Directory Traversal, and many others can have more than 1000 attack signatures for each type of attack I described above, and current scanners have only about 4-20 attack signatures for each type of attack.
> 
>   
> This situation is good for us (the researches), we need continue our researches and make a "better place” for the security technology - It means Enlarge ours attack signatures lists ;-)
> 
> 
> 
> Kind Regards,
> Narkolayev Shlomi.
> 
> Visit my blog: http://Narkolayev-Shlomi.blogspot.com
> 
> 
> On Thu, Jun 10, 2010 at 2:08 AM, Andre Gironda <andreg at gmail.com> wrote: 
> On Wed, Jun 9, 2010 at 2:24 PM, Jim Manico <jim at manico.net> wrote:
> > Do you think raw scanning engine technology has hit a plateau? Or could it be that the cost to innovate scanning engines beyond today's state of the art is getting prohibitive?
> 
> Jim,
> 
> Do you think investors of research projects for commercial app
> scanners should continue their current strategy, or should it be
> changed?
> 
> If you were responsible for scan engine technology for an app scanner
> at one of the following companies, would you invest in the current
> model -- or would you try something completely different such as
> Fortify's approach with PTA and RTA?
> 
> HP Software
> IBM Watchfire
> Acunetix
> NTOBJECTives
> Cenzic
> Qualys
> WhiteHat Security
> 
> These vendors, IMO, have all failed to deliver quality products that
> constantly push the envelope. Instead, their "scan engine technology"
> is all but replaced by cheap ($200-$3000/year/person, unlimited use)
> products such as Burp Suite Professional and Mavituna Security
> Netsparker Pro.
> 
> Look at the Wivet (wivet.googlecode.com) results. Look at the
> SQLiBENCH (sqlibench.googlecode.com) results. Run all of those
> scanners in crawl-only mode through Casaba x5s and see how many HTML
> injections you get from one scanner to the next. Guess who comes out
> on top? The cheapest commercial products, especially Burp Suite Pro
> and Netsparker Pro. To add to that fire, Burp Suite Free Edition and
> Netsparker Community Edition also blow the other commercial products
> away.
> 
> What else is left to say? The free scanning engines (that are tied to
> the cheapest products in the appsec space) are better than the
> expensive, commercial scanning engines. The above 7 vendors can't and
> won't get their acts together. They have had their time. That time is
> now over.
> 
> Thoughts? 
> 
> Andre
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to
> the confirmation email
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/7da51d0e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6309 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20100610/7da51d0e/attachment.p7s>


More information about the websecurity mailing list