[WEB SECURITY] best tool for web app scanning / pen testing

Andre Gironda andreg at gmail.com
Thu Mar 7 15:53:27 EST 2013


Well, the typical pre-2012 masters that I ran into all used Perl, Python,
or Ruby and were avid Unix fans as well as C and Java fans. You'll start to
see a lot more up-and-comers using Node.js or similar. The open-source
packages Selenium and WebDriver (lots of history there) are made to
simulate browsers, and can be seen as a sort of "patterns" with regards to
web app testing in general.

Everyone I know is looking to build a system similar to the Dradis
Framework, where tool import plugins can be assembled easily, and tool
output can be resulted to defined XML. This has not yet become any sort of
pattern, and I think pen testing in general is still in its infancy. CORE
had performed research on this in the past, but most was focused on net pen
testing or binary pen testing, not the world of legacy-everything meets
Web2.0 meets mobile and cloud.

dre



On Thu, Mar 7, 2013 at 1:45 PM, Ofer Shezaf <ofer at shezaf.com> wrote:

> Humor aside, I think we are very much in agreement. Even the best of tools
> will not replace humans.****
>
> ** **
>
> The issue is that I think tools should be evaluated, at least in most
> cases, based on how they empower the average and not very experienced app
> sec guy rather than how lethal they are in the hand of the master.****
>
> ** **
>
> ~ Ofer****
>
> ** **
>
> *From:* Andre Gironda [mailto:andreg at gmail.com]
> *Sent:* Thursday, March 07, 2013 10:28 PM
>
> *To:* Ofer Shezaf
> *Cc:* Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil
> Gmail
> *Subject:* Re: [WEB SECURITY] best tool for web app scanning / pen testing
> ****
>
> ** **
>
> ** **
>
> Ofer,****
>
> ** **
>
> It's just that most Unixes come with either wget or curl right from the
> start. You'd have to install Powershell to get anything equivalent on
> Windows, unless you were already a developer who had your own HTTP/TLS
> clients written in a certain language, such as .NET (which could also be
> ported to Unix with Mono).****
>
> ** **
>
> Metasploit requires Unix (or Cygwin when on Windows), and it's the
> dominant pen testing platform across the world. How could you say it's just
> me?****
>
> ** **
>
> There are many open-source tools, libraries, frameworks, and testing
> platforms, especially built around Unix platforms. During a pen test, it's
> about combining those things together -- to which I haven't seen a good
> commercial library or framework in the web app pen space.****
>
> ** **
>
> There are some commercial tools that can be used by pen-testers in the
> Enterprise workflow for application security risk management purposes. For
> example, I like to get all of my findings into Burp Suite Professional so
> that I can submit them to Fortify Software Security Center. Note that I
> work for HP, so I may come across Fortify SSC more often than this audience.
> ****
>
> ** **
>
> By no means should you assume that myself or anyone who does web app pen
> for HP or any company uses only those tools. I am literally saying here
> that all tools are relevant and have purpose when dealing with appsec. If
> you want to present your findings to an information security team,
> directors, or C-level executives trying to make decisions around appsec
> risk management issues, then there are few commercial portal offerings to
> aid in that effort. Application security risk management portals are
> critical path to instill inside a large-installation organization.****
>
> ** **
>
> In other words, it's not "which tools" you need "to buy", but more "what
> skillsets do you need to find the issues and can those skills match up to
> the requirements necessary to report/understand/mediate those issues?". The
> answer to the skillsets is usually either a Unix person, or an appdev who
> has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
> Would you say it's easier to find/educate a Unix person or a
> specific-domain appdev?****
>
> ** **
>
> dre****
>
> On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer at shezaf.com> wrote:****
>
> I gave it a try. I SSHed to the first Unix machine I could find. I stared
> at the prompt. It stared at me. Alas, no application vulnerability surfaced
> out from the black surface.****
>
>  ****
>
> What you really say is that Unix + Andre is the best tool. I accept that.
> The only issue is that Andre is a very scarce resource (approximately 1 in
> 7 billion in the sample population).****
>
>  ****
>
> ~ Ofer****
>
>  ****
>
> *From:* Andre Gironda [mailto:andreg at gmail.com]
> *Sent:* Thursday, March 07, 2013 8:37 PM
> *To:* Ofer Shezaf
> *Cc:* Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil
> Gmail****
>
>
> *Subject:* Re: [WEB SECURITY] best tool for web app scanning / pen testing
> ****
>
>  ****
>
> I like to pick up a new tool every time I need to do something with web
> apps or pen-testing. Or pick up a new way to write an HTTP client in a
> different language. Or parse HTML/JS/AS. Or especially to figure out what
> blobs of data are.****
>
>  ****
>
> Therefore, I have concluded that the best tool for web app scanning / pen
> testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
> Cygwin. They'll all do. ;>****
>
>  ****
>
> dre****
>
>  ****
>
>  ****
>
> On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer at shezaf.com> wrote:****
>
> Commercial scanners do that today, usually as part of their integration
> with
> a runtime element embedded in the application.
>
> ~ Ofer****
>
>
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf****
>
> Of Dinis Cruz
> Sent: Thursday, March 07, 2013 12:46 AM
> To: Nitin Vindhara
> Cc: websecurity at lists.webappsec.org; Phil Gmail
> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>
> If you have access to the source code of the target application, you should
> also analyse it and extract data to feed to the web scanners (for example
> all possible urls, form fields, web services, REST interfaces, etc)
>
> Dinis Cruz
>
> On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara at gmail.com> wrote:
>
> > My experience with appscan is better then and webinspect. I mean in
> > terms of identifying maximum vulnerabilities.
> >
> > However more number of false positive are reported by appscan.
> > Accunetix is better in term of less false positive.
> >
> > Burp is semi automated, but good in finding some additional
> vulnerability.
> > It can be a additional scanner, but not the only one.
> > Its main objective is as proxy not scanner.
> >
> > However support of webinspect and accunetix are found better.
> >
> > So depending of ur need and skill set you or your team have, decision
> > has to be taken.
> >
> > Also this are my personal view, this can not be fool prove.
> >
> > Regards
> > Nitin
> >
> > On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >> "Web application scanners that provide trial licenses with limiters
> >> like target domains can be circumvented by statically resolving their
> >> target domain to an IP of your choosing on the environment that you
> >> are running the scanner from."
> >>
> >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >>
> >> From: Daniel Herrera <daherrera101 at yahoo.com>
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
> >> testing
> >> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
> >> <phil at safewalls.net>
> >> Cc: "websecurity at lists.webappsec.org"
> >> <websecurity at lists.webappsec.org>
> >> Date: Wednesday, March 6, 2013, 11:06 AM
> >>
> >> Sooo... web application scanners that provide trial licenses with
> >> limiters like target domains can be circumvented by statically
> >> resolving their target domain to an IP of your choosing on the
> >> environment that you are running that application from. Note that
> >> your target application must accept arbitrary "Host" header entries.
> >>
> >> Some interesting options to look into would be:
> >>
> >> Netsparker
> >> http://www.mavitunasecurity.com/netsparker/
> >>
> >> Websecurify
> >> http://www.websecurify.com/suite
> >>
> >> Personally I don't put much faith in automated assessment utilities
> >> both open and closed source. There are a lot of common flaws and
> >> pitfalls that can negatively impact a scan and the quality of its
> output.
> >>
> >> I always recommend that people move past the tools and dig into the
> >> concepts themselves, unlike network interrogation which in my opinion
> >> has a far more finite set of test cases, application interrogation is
> >> very complex and difficult to do generically well across the myriad
> >> of implementations people come up with daily... literally. All that
> >> said, many of the paid solutions have been working on the problem for
> >> a while and they set a decent bar, hybrid solutions like Whitehat
> >> that provide managed scanning tend to perform better than their
> unmanaged
> counterparts in my opinion.
> >>
> >> /morning ramble
> >>
> >> I didn't see your original question to the list, so this is the best
> >> answer I could provide within the context of what I saw.
> >>
> >>
> >> D
> >>
> >>
> >>
> >> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
> >>
> >> From: Phil Gmail <phil at safewalls.net>
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
> >> testing
> >> To: "Zippy Zeppoli"
> >> <zippyzeppoli at gmail.com>
> >> Cc: "websecurity at lists.webappsec.org"
> >> <websecurity at lists.webappsec.org>
> >> Date: Tuesday, March 5, 2013, 6:46 PM
> >>
> >> Id recommend Burp Pro, but it is not an automated tool.
> >> Www.burpsuite.com
> >>
> >> Phil
> >> Sent from iPhone
> >> Twitter: @sec_prof
> >>
> >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
> >>
> >>> Hello,
> >>> I am looking for a solution to do web application vulnerability
> >>> scanning / testing.
> >>> IBM's rational appscan seems like a good solution, and I've used it
> >>> in the past.
> >>> The only problem seems to be the IBM part. I'm trying to engage them
> >>> for a trial license that doesn't only scan some useless webgoat, and
> >>> test it on my own app.
> >>>
> >>> I'm getting kind of dismayed with the responsiveness, so I'm
> >> wondering
> >>> if there are better *commercial* solutions out there which are ready
> >>> to go out of the box.
> >>> I'd love to use open source tools, but I don't have the time to do
> >>> the engineering part since I'm overburdened.
> >>>
> >>> Thanks for your tips.
> >>>
> >>> Z
> >>>
> >>> _______________________________________________
> >>> The Web Security Mailing List
> >>>
> >>> WebSecurity RSS Feed
> >>> http://www.webappsec.org/rss/websecurity.rss
> >>>
> >>> Join WASC on LinkedIn
> >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>>
> >>> WASC on Twitter
> >>> http://twitter.com/wascupdates
> >>>
> >>> websecurity at lists.webappsec.org
> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
> >>> sec.org
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn
> >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
> >> ec.org
> >>
> >
> >****
>
> > --
> > Regards
> >
> > Nitin Vindhara
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
> > c.org
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> ****
>
>  ****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130307/059868b3/attachment-0003.html>


More information about the websecurity mailing list