On Fri, Mar 26, 2004 at 01:48:02PM -0500, John Lampe wrote:
> On Fri, 26 Mar 2004, Flickema, Drew W. wrote:
>
> > I have a pilot program in place using SPI Dynamics WebInspect (WI)
> > product to scan my environment for possible SQL Injection in web
> > applications. I have ran across the following paper;
> > http://www.tenablesecurity.com/white_papers/sec_test_light_newt_nessus1.
> > pdf , which suggests Nessus may be able to detect SQL and XSS
> > vulnerabilities. The paper is dated Jan 2, 2004, so it is relatively
> > new. I followed the suggestions of this paper to run a head to head
> > test against WI. There exists a website to test against,
> > http://endo.webappsecurity.com . I discovered that WI found 2 SQL
> > Injection vulnerabilities whereas Nessus found none. Nessus did
> > discover the CVS directory and expanded the root tree.
> > One thing I thought might be happening is that the website to test
> > against is owned by SPI and they have programmed in to watch for Nessus
> > scans to force false negatives.
> > Is there anyone successfully using sql_injection.nasl and
> > tourturecgis.nasl to discover SQL or XSS vulnerabilities? I would be
> > interested in either an offline or online discussion.
>
> Yeah, I used it a lot :-) You'll need to give webmirror.nasl and
> sql_injection.nasl some time to finish....i.e. these aren't 10 second
> tests. I'm very curious of the two SQL Injection bugs that existed but
> were not found by Nessus....
sql_injection.nasl and torture_cgi.nasl could be much more effective if
they used a POST request vs. the current GET requests. However I fear
that it will trash many more websites. Only use POST when safe_checks()
is disabled maybe ?
-- Renaud
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
