I agree with your comments, especially on the part that
scanners can hardly find design flaw. I remember I
encountered one case in which the session id is sequential;
the scanner did not even pick up such an obvious flaw. In
another case, after user login, the user id is embdeded as
hidden value and used to authenticate the user. And the
scanner failed to pick this up again.
------------------------------------------------------------
-------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security
Assessment
With the rapid rise in the number and types of security
threats, web
application security assessments should be considered a
crucial phase in
the development of any web application. What methodology
should be
followed? What tools can accelerate the assessment process?
Download this whitepaper today!
https://www.watchfire.com/securearea/whi
tepapers.aspx?id=701300000007t9h
------------------------------------------------------------
--------------
|