imho Nessus will to my knowledge detect infrastructure and basic configuration problems of the web servers and associated dmz machinery but not application problems.
The right fora to discuss web application testing are to my knowledge [EMAIL PROTECTED] and [EMAIL PROTECTED] where there are ongoing and archived discussions of the validity of scan comparison results, metrics, common nomenclature for webapp vulnerabilities etc... It may interest many in this group that there is an upcoming conference of OWASP and WASC on Nov. 12-15 in San Jose http://www.owasp.org/index.php/OWASP_&_WASC_AppSec_2007_Conference My impression is that the level of automation of web app scanning today is:- different tools will give different results on the same target, the same tools will give different results on the same target depending on human intervention and manually settings, available tools are usually platform-specific, updates to cover new modes of attack are not provided in a timely manner i.e. there is considerable room for improvement. Could/should infrastructure scanner developers share their experience in improving reliability and automation with the webappsec teams? ajc ---------- Forwarded Message ---------- 2007/10/10, John Hally <[EMAIL PROTECTED]>: Just my $.02, I typically don't rely on VA scanners to test web sites/applications. IMHO its beyond the scope of the VA scanner outside of basic checks (web server version, php/asp/.net version, rudimentary checks like directory traversal, config checking, etc). What I think you really need is something like SPI Dynamics, Firewatch, Cenzic Hailstorm, Acunetix, etc. that dig deep into the application and test for XSS, SQL injection, javascript issues, and the like. These apps do a LOT of digging and there's a lot going on so you can cripple a website if you're not careful. I've used Acunetix for a while and its pretty good 'bang for the buck' so to speak but you do get what you pay for. Its good for one-off testing but there's no enterprise management piece that some of the others have that integrate into Dev, QA, automated scanning, etc. Mileage may vary and you have to understand what's going on under the hood of the tool you choose, but check them all out to see what best fits what you're looking for. Thanks, John. -----Original Message----- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of KaNam Sent: Tuesday, October 09, 2007 3:27 PM To: [email protected] Subject: Website scanning useless ?? Hey all, I was trying Nessus 3.0.6.1 Build W321 (and before that 3.0.3) to scan a particular website for scripting vulnerabilities (phpBB and stuff), and I found for this part, Nessus will give you a false sense of security (since it may or may not return results, but mostly NOT). Either I'm really stupid, because I can't get Nessus to scan on hostname, or Nessus developers aren't thinking clearly. Even though I input a hostname to scan, if you do a double check (packet capture on either side), you will see Nesses request pages on "host: resolved IP number". I see no settings on my Windows 2000 Server installation to change this. Obviously, host: IP number works on about 0.00000001% of the webpages, since most webserver host multiple websites and of course will not return files from the requested hostname unless it's the one and only site running on that server. So, is this my fault or have there been millions and millions of useless scanning going around ? Oh, I've tried the IP[hostname] thingy for both localhost and remote website scanning. On all occassions, Nessus is scanning with the host:IP header. Please note, I'm not asking Nessus to scan ALL vhosts, I'm just asking it to scan ONE host (be it local or remote), and I'm even giving the name ! Laterz, da Kimp. -- _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
