Re: Comparison report on web app security scanners

I'm not saying that all the scanners will fail against these type of 
applications.
It's possible to scan them but you need to know how to configure the scanner in 
order to be 
able to scan them properly.

A simple "new scan", enter the url and click Start will not work in this case.

-----Original Message-----
From: "Dean H. Saxe" <dean@fullfrontalnerdity.com>
To: Mark Curphey <mark@curphey.com>
Cc: "'Bogdan Calin'" <bogdan@acunetix.com>, <webappsec@securityfocus.com>, 
<Holger.Peine@iese.fraunhofer.de>
Date: Wed, 17 May 2006 19:38:24 -0400
Subject: Re: Comparison report on web app security scanners

> I'm with Mark on this.
>
> In the past I worked on a banking app that by design tracked user  
> state through the application.  If you didn't follow the workflow,  
> you didn't get access to a particular URL.  Are you saying that your  
> scanner, and all others, will fail against this type of application?
>
> I have to believe its more common than you think based on the web app  
> pen testing I have done.
>
> -dhs
>
> Dean H. Saxe, CEH
> dean@fullfrontalnerdity.com
> "Great spirits have often encountered violent opposition from weak  
> minds."
>      --Einstein
>
> Find out about my Hike for Discovery at www.fullfrontalnerdity.com/hfd
>
>
> On May 16, 2006, at 1:47 PM, Mark Curphey wrote:
>
> > Bullshit....
> >
> > -----Original Message-----
> > From: Bogdan Calin [mailto:bogdan@acunetix.com]
> > Sent: Tuesday, May 16, 2006 10:10 AM
> > To: webappsec@securityfocus.com
> > Cc: Holger.Peine@iese.fraunhofer.de
> > Subject: Re: Comparison report on web app security scanners
> >
> > Hello,
> >
> > A few days ago Dr. Holger Peine published a "Comparison report on web
> > app security scanners".
> >
> > For this report he used two web applications: one of them is  
> > WebGoat and
> > the other one is a proprietary application which is not public.
> >
> > I don't know anything about this proprietary application but I would
> > like to say that WebGoat is not a good test case for evaluating web
> > scanners.
> >
> > WebGoat is using server side state variables to track user actions.  
> > For
> > example, if you want to test the String SQL injection flaw you first
> > need to navigate to the "String SQL injection" section in order to
> set
> > the proper state of the application.
> >
> > If the application is not in the proper state, the SQL injection test
> > will not work. The application will just ignore your inputs.
> >
> > An automated scanner cannot guess this application behavior, and  
> > unless
> > you optimize your scanner for this particular application it will  
> > not be
> > able to scan it properly.
> >
> > When the scanner has finished discovering the site structure, WebGoat
> > will be in some unknown state. All tests will be performed while  
> > WebGoat
> > is in this state.
> >
> > This is not a common implementation.
> >
> > Because we are offering free audits, we have audited more than 1,000
> > websites and didn't encountered this kind of implementation.
> >
> > WebGoat is great for learning about web security flaws but I don't  
> > think
> > it should be used as a test case for web security scanners.
> >
> > Bogdan Calin
> > Acunetix Ltd. - www.acunetix.com
> > Acunetix Web Vulnerability Scanner
> ---------------------------------------------------------------------- 
> > ---
> > Sponsored by: Watchfire
> >
> > Watchfire named worldwide market share leader in web application  
> > security
> > assessment by leading market research firm. Watchfire's AppScan is
> the
> > industry's first and leading web application security testing  
> > suite, and
> > the only solution to provide comprehensive remediation tasks at every
> > level of the application. See for yourself.
> > Download a Free Trial of AppScan 6.0 today!
> >
> > https://www.watchfire.com/securearea/appscansix.aspx? 
> > id=701300000007t9c
> ---------------------------------------------------------------------- 
> > ----
> ---------------------------------------------------------------------- 
> > ---
> > Sponsored by: Watchfire
> >
> > Watchfire named worldwide market share leader in web application  
> > security
> > assessment by leading market research firm. Watchfire's AppScan is
> the
> > industry's first and leading web application security testing  
> > suite, and
> > the only solution to provide comprehensive remediation tasks at every
> > level of the application. See for yourself.
> > Download a Free Trial of AppScan 6.0 today!
> >
> > https://www.watchfire.com/securearea/appscansix.aspx? 
> > id=701300000007t9c
> ---------------------------------------------------------------------- 
> > ----



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------