OS XSS and SQL scanner

Hi,
RE:
"This situation is no doubt due to the utter lack of
skill
and understanding of the subject on the part of the
authors."

I thought these tools were to assist one, so not as much
skill is required?
Otherwise one would do it in a manual fashion?

What does one think?

-ek

On 01/08/06, Arian J. Evans <arian.evansanachronic.com> wrote:
>
>
> > -----Original Message-----
> > From: Mandeep Khera [mailto:mandeepcenzic.com]
> >
> > I am sorry to hear that you perceive some problems
with our
> > product. We take pride in being the most accurate
product
> > with least amount of false positives in the
industry. This
> > has been proven in many bake-offs by customers and
> > independent journalists.
>
> Hate to take this a little off topic, but do you have
any facts
> that can support or back up these claims? Any data
produced by
> anyone competent that speaks to your "false
positives" and also
> your "false negatives"?
>
> I have failed to read a review yet to date that
contains useful
> information. So far what I've read varies from useless
data
> organized around features like "reflective
buttons" (e.g.-the
> Acunetix review posted to this list written by some
woman
> who writes windows software articles) to the other
extreme
> of uninformed opinion and inability to keep features
between
> the products straight (secure enterprise computing
review).
> This includes infosec magazine and online reviews,
bake-offs,
> and Gartner-style evals. Every one I have read so far
is garbage.
>
> Not one covers actual tests run & and the how &
why around them.
>
> This situation is no doubt due to the utter lack of
skill
> and understanding of the subject on the part of the
authors.
>
> However, I think all on this list would welcome
information
> of a high-quality nature regarding scanner quality, if
you
> have anything like that to point us at.
>
> -ae
>
>
>
>
>
>
------------------------------------------------------------
-------------
> Sponsored by: Watchfire
>
> Do you test web applications for XSS, SQL Injections,
Buffer Overflows,
> Logical issues and other web application security
threats? Why not
> automate this work with Watchfire's AppScan, the
world's leading
> automated web application scanner. Download AppScan
today!
>
> https://www.watchfire.com/securearea/app
scancamp.aspx?id=701300000008BP9
>
------------------------------------------------------------
--------------
>
>


-- 
Eoin Keary OWASP - Ireland
http://www.ow
asp.org/local/ireland.html

------------------------------------------------------------
-------------
Sponsored by: Watchfire

Do you test web applications for XSS, SQL Injections, Buffer
Overflows, 
Logical issues and other web application security threats?
Why not 
automate this work with Watchfire's AppScan, the world's
leading 
automated web application scanner. Download AppScan today!

https://www.watchfire.com/securearea/app
scancamp.aspx?id=701300000008BP9
------------------------------------------------------------
--------------

Eoin wrote:
> Hi,
> RE:
> "This situation is no doubt due to the utter lack
of skill
> and understanding of the subject on the part of the
authors."
> 
> I thought these tools were to assist one, so not as
much skill is required?
> Otherwise one would do it in a manual fashion?
> 
> What does one think?
> 
> -ek

I'd say that the tools are absolutely there to assist one.
However, that 
does not in any way mean that you can simply point and
click, and get 
meaningful results.

I'd use such a tool to perform the automatable drudge work.
As mentioned 
before by various persons, that includes checking for
trivial XSS, HTTP 
header injection, and SQL injection vulnerabilities.

I certainly wouldn't trust it to run without supervision
(certainly not 
the FIRST time), and place reliance on its results. All
results need to 
be checked for tool failures that could easily be confused
for "pass" 
results. e.g. undetected session invalidation, account
lockout, etc

That's one of the reasons that I don't try to do any
automated analysis 
of the results generated by the WebScarab fuzzer. I *WANT*
the operator 
to take a look at all of the responses, and make up their
own minds. The 
value of the Fuzzer is really to automate the repetitive
"try this 
string in this parameter", in all possible
permutations, so that the 
user does not have to do all the clicks and typing
themselves. But 
analysing the results should be a job for a human.

Someone who *knows* what they are looking at.

IMO.

Rogan

> 
> On 01/08/06, Arian J. Evans <arian.evansanachronic.com> wrote:
>>
>>
>> > -----Original Message-----
>> > From: Mandeep Khera [mailto:mandeepcenzic.com]
>> >
>> > I am sorry to hear that you perceive some
problems with our
>> > product. We take pride in being the most
accurate product
>> > with least amount of false positives in the
industry. This
>> > has been proven in many bake-offs by customers
and
>> > independent journalists.
>>
>> Hate to take this a little off topic, but do you
have any facts
>> that can support or back up these claims? Any data
produced by
>> anyone competent that speaks to your "false
positives" and also
>> your "false negatives"?
>>
>> I have failed to read a review yet to date that
contains useful
>> information. So far what I've read varies from
useless data
>> organized around features like "reflective
buttons" (e.g.-the
>> Acunetix review posted to this list written by some
woman
>> who writes windows software articles) to the other
extreme
>> of uninformed opinion and inability to keep
features between
>> the products straight (secure enterprise computing
review).
>> This includes infosec magazine and online reviews,
bake-offs,
>> and Gartner-style evals. Every one I have read so
far is garbage.
>>
>> Not one covers actual tests run & and the how
& why around them.
>>
>> This situation is no doubt due to the utter lack of
skill
>> and understanding of the subject on the part of the
authors.
>>
>> However, I think all on this list would welcome
information
>> of a high-quality nature regarding scanner quality,
if you
>> have anything like that to point us at.
>>
>> -ae
>>
>>
>>
>>
>>
>>
------------------------------------------------------------
-------------
>> Sponsored by: Watchfire
>>
>> Do you test web applications for XSS, SQL
Injections, Buffer Overflows,
>> Logical issues and other web application security
threats? Why not
>> automate this work with Watchfire's AppScan, the
world's leading
>> automated web application scanner. Download AppScan
today!
>>
>> https://www.watchfire.com/securearea/app
scancamp.aspx?id=701300000008BP9
>>
------------------------------------------------------------
-------------- 
>>
>>
>>
> 
> 


------------------------------------------------------------
-------------
Sponsored by: Watchfire

Do you test web applications for XSS, SQL Injections, Buffer
Overflows, 
Logical issues and other web application security threats?
Why not 
automate this work with Watchfire's AppScan, the world's
leading 
automated web application scanner. Download AppScan today!

https://www.watchfire.com/securearea/app
scancamp.aspx?id=701300000008BP9
------------------------------------------------------------
--------------