Dear Chick, As far as Automated scanners are concerned, they give a lot of false positives esp sql injection. Only way to eliminate this is to manually replay the scenario. Appscan gives you a detailed report like how the vulnerability has been discovered.
It gives you the URL and the parameter in which the injection has been performed. It details, the request which has been sent and also the response for the same. Also Appscan has an option "show in browser" for each vulnerability. One can test the vulnerability using this option in Appscan browser itself. Click on the button and Appscan browser opens and one can verify it if there exist a vulnerability. Hope this helps. Additional info: Automated scanners do give some good results. However, false positives do exist. Manual verification is a mandate to eliminate them. The worse part is "False negatives". Automated tools cannot find out everything in a scan. So if you completely depend on Automated scanning your are in deep trouble. Manual testing of the application is necessary for complete coverage. On 11 August 2010 00:03, Srinivas Naik <[email protected]> wrote: > Dear Chick, > > Let me bring in to your notice that, Automated Scanners cannot do total > scan of the application. > > >I tested the SQL Injection and iam unabling to match the same with > >report which it is generated . > > It means that either the vulnerability is out of scope for the scanner (or) > Vulnerabilty doesn't exist in application > > w.r.t analysing the generated report: Go to the URI of the scanned > application and verify for the vulnerability specified below the URI. > > Please include the report sample for much info. > > Regards, > 0xN41K > On Tue, Aug 10, 2010 at 11:39 PM, Old Chick <[email protected]> wrote: > >> >> I tested the SQL Injection and iam unabling to match the same with >> report which it is generated . >> how i have to analyse the report give me some example please. >> >> Thank u >> >> -- >> You received this message because you are subscribed to the Google Groups >> "nforceit" group. >> To post to this group, send an email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<nforceit%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/nforceit?hl=en-GB. >> >> > -- > You received this message because you are subscribed to the Google Groups > "nforceit" group. > To post to this group, send an email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<nforceit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/nforceit?hl=en-GB. > -- Regards, kishore sangaraju -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
