Something I was forgetting... "Business logic flaws" ! Those are my favorite, and they are always there, no matter if there is a WAF or not, you'll always find them.
Cheers, On Mon, Oct 5, 2009 at 4:47 PM, Brad Causey <[email protected]> wrote: > rXSS for me is the most frequent by volume. We do see info disclosure > and error message type findings on every one as well. There are a few > that don't show up often, but that is because the technology isn't in > use as much. (WSDL, SSI, and ORM are a few examples) > I typically see highs (sql injection, xss, OS commanding, etc) on 99% > of the apps reviewed. > SQLi is actually more common than you might think. Problem is, its > been buried behind WAFs and pretty error messages, so you don't get > DBMS errors like you used to as much. Typically I end up fighting the > WAF over SQLi, and sometimes I lose. =) > This is not related to using the W3AF Tool, but a generalization of > reviews in general. > > -Brad Causey > CISSP, MCSE, C|EH, CIFI, CGSP > > http://www.owasp.org > -- > Never underestimate the time, expense, and effort an opponent will > expend to break a code. (Robert Morris) > -- > > > > On Mon, Oct 5, 2009 at 2:32 PM, Andres Riancho <[email protected]> > wrote: >> Steve, >> >> On Mon, Oct 5, 2009 at 3:16 PM, steve jacobs <[email protected]> >> wrote: >>> Out of interest, I'd be interested to know what vulnerabilities show up in >>> most apps you review? I guess gaping SQLi flaws are rare in companies with >>> decent programmers, but are there some vulnerabilties that show up time and >>> time against when you do these security audits? I'm seriously intreged in >>> the w3af framework. What would you say are the top offenders (vulnerability >>> wise) that always show up in almost any app? >> >> Well... in my experience, SQL injection is there in at least 65% of >> the web applications I've tested. I usually test web applications from >> banks, financial institutions, online carts, etc. for companies in >> South America and USA. Also, XSS and local file read are two common >> vulnerabilities that you'll find in most assessments. >> >> Cheers, >> >>> >>> Thanks, >>> Steve J. >>> >>> ________________________________ >>> Have more than one Hotmail account? Link them together to easily access >>> both. >>> ------------------------------------------------------------------------------ >>> Come build with us! The BlackBerry® Developer Conference in SF, CA >>> is the only developer event you need to attend this year. Jumpstart your >>> developing skills, take BlackBerry mobile applications to market and stay >>> ahead of the curve. Join us from November 9-12, 2009. Register now! >>> http://p.sf.net/sfu/devconf >>> _______________________________________________ >>> W3af-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/w3af-users >>> >>> >> >> >> >> -- >> Andrés Riancho >> Founder, Bonsai - Information Security >> http://www.bonsai-sec.com/ >> http://w3af.sf.net/ >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
