Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Environment for testing WebApp Security Scanners

from [Mark Curphey] Network Security [Permanent Link]
Subject: RE: Environment for testing WebApp Security Scanners
Date: Tue, 8 Aug 2006 07:07:35 -0400 
You should look at OWASP Sitegenerator. This was designed specifically for
what you are aiming to do; benchmarking web app scanners. 

http://www.owasp.org/index.php/Owasp_SiteGenerator

Adding a new test case is easy. Create the page with the vulberable
condition and add it to the xml site mapping. Basically the tool creates
(under the hood it fakes it but.... ) a site of whatever size and mix of
complexity (navigation, vuln types, vuln density) you want so you can
generate a site that is a replica of the real world and not just a lab
environment or canned test site. 

-----Original Message-----
From: René Palige [mailto:rwp@gmx.de] 
Sent: Monday, August 07, 2006 4:33 PM
To: webappsec@securityfocus.com
Subject: Environment for testing WebApp Security Scanners

Hi!

I?m currently working on my bachelor thesis which is about the development
of a testsuite for different Web Application Security Scanners. My goal is
to provide an environment which can be used as a basis for testing and
evaluating the performance of the many tools already existing.  
Consequently the main part of my work will be to implement different types
of vulnerabilites in more or less realistic scenarios and with different
characteristics. At the moment I?m planning to use OWASPs WebGoat as some
kind of groundwork.
My questions:
Which "features" would you consider to be necessary or useful in this
context? And what basic requirements do you see which should be met? Would
it be best to focus on "real-life scenarios"? Or rather to cover as many
aspects of a special class of vulnerabilities as possible?

Thanks in advance,
R. Palige




-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web application
security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SF new column announcement: E-mail privacy in the workplace, Craig Wright
Next by Date:  Re: Environment for testing WebApp Security Scanners, Roman H.
Previous by Thread:  Environment for testing WebApp Security Scanners, René Palige
Next by Thread:  Re: Environment for testing WebApp Security Scanners, Roman H.
Indexes:  [Date] [Thread] [Top] [All Lists]