Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Environment for testing WebApp Security Scanners

from [Roman H.] Network Security [Permanent Link]
Subject: Re: Environment for testing WebApp Security Scanners
Date: Tue, 8 Aug 2006 03:54:13 -0700 (PDT) 
RenÃ,

You might want to consider looking at the OWASP SiteGenerator project (coded by 
Dinis Cruz and sponsored by Foundstone).  It has tried to tackle the exact 
problem that you are working on.  So I would suggest that you make use of it in 
your research, and perhaps build on Dinis' work to improve SiteGenerator (maybe 
reach a 1.0 version?).  What everyone would really love to see is some actual 
published results against a test suite, but it's not likely you will convince 
any vendors to let you do that.  

WebGoat is probably not the best app for your purposes, since it's designed to 
be a tutorial and doesn't resemble a real-world business application (i.e. the 
market for scanners).  Besides, I would bet that many of the scanners have 
specifically coded signatures for WebGoat.  On the other hand, SiteGenerator 
can be easily reconfigured to have a different sitemap with new custom 
vulnerabilities so it never looks the same to a scanner.  

http://www.owasp.org/index.php/Owasp_SiteGenerator

Cheers,

Roman Hustad


----- Original Message ----
From: Renà Palige <rwp@gmx.de>
To: webappsec@securityfocus.com
Sent: Monday, August 7, 2006 1:33:02 PM
Subject: Environment for testing WebApp Security Scanners

Hi!

I?m currently working on my bachelor thesis which is about the development  
of a testsuite for different Web Application Security Scanners. My goal is  
to provide an environment which can be used as a basis for testing and  
evaluating the performance of the many tools already existing.  
Consequently the main part of my work will be to implement different types  
of vulnerabilites in more or less realistic scenarios and with different  
characteristics. At the moment I?m planning to use OWASPs WebGoat as some  
kind of groundwork.
My questions:
Which "features" would you consider to be necessary or useful in this  
context? And what basic requirements do you see which should be met? Would  
it be best to focus on "real-life scenarios"? Or rather to cover as many  
aspects of a special class of vulnerabilities as possible?

Thanks in advance,
R. Palige







-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. 
Download a free trial of AppScan today and see why more customers choose 
AppScan then any other solution. Try it today!
  
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Environment for testing WebApp Security Scanners, Mark Curphey
Next by Date:  Re: [Full-disclosure] Attacking the local LAN via XSS, Dude VanWinkle
Previous by Thread:  RE: Environment for testing WebApp Security Scanners, Mark Curphey
Next by Thread:  RE: Environment for testing WebApp Security Scanners, Brokken, Allen P.
Indexes:  [Date] [Thread] [Top] [All Lists]