Davide,
On Wed, Apr 20, 2011 at 9:30 AM, davide sozzi <[email protected]> wrote:
> Hi,
>
> thanks for your reply. But if I understood correctly, W3AF is able to
> cover all Top 10 OWASP risks (using different plugins)
No, what Steve said (and I agree with him at a 99% level) is that
no black-box web application scanner can identify ALL vulnerabilities
in OWASP Top10
> but it's not
> 100% accurate right?
No black or white box analysis tool is 100% accurate.
> Also does W3AF test web services?
Not at this time. We had support for it in the past, but we
haven't touched that code section in some time and I think its broken.
>
> Thanks
>
> Davide
>
>
> On 20 April 2011 02:32, Steve Pinkham <[email protected]> wrote:
>> On 04/19/2011 07:44 PM, davide sozzi wrote:
>>> Hi all,
>>>
>>> I am looking around for a web security scanner and I was checking
>>> various tool then I found W3AF, Well since this is all new stuff for
>>> me I was wondering, what's the W3AF Top 10 OWASP coverage? Also what
>>> kind of files are scanned by W3AF?
>>>
>>> I am sorry but I couldn't find the answer to these questions on the FAQ
>>> section.
>>>
>>> Thanks
>>>
>>> Davide
>>
>> We don't evaluate scanners that way.
>>
>> Here's why:
>> https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf
>>
>> There is no scanner on earth capable of finding everything in the top
>> 10. Even if you narrow it down to SQL Injection which is a subset of A1
>> - Injection flaws from OWASP top 10, there is no scanner out there which
>> can find every instance of it.
>>
>> w3af has plugins for most things that are automateable. It has a fairly
>> broad coverage, but has some bugs that make it miss a number of things
>> still. Much like any other scanner.
>>
>> See this blog for some relevant info limited to recent XSS and SQL
>> injection testing: http://sectooladdict.blogspot.com/
>>
>> Of course, since this test everyone has been trying to up their game to
>> pass it to, and so far in the free space
>> arachni(https://github.com/Zapotek/arachni) has done the best job on
>> XSS, and there were some good tools in that report for SQL injection.
>>
>> At the moment, w3af excels at finding the "wierd" stuff. No other free
>> tool has the breadth it has.
>>
>> See the "audit" and "Grep" parts of this page for the things you are
>> asking for.
>>
>> http://w3af.sourceforge.net/plugin-descriptions.php
>>
>> The more interesting ones are the discovery plugins. The problem most
>> scanners have is not as much "can I find the flaws" but "can I find
>> requests to test for flaws in the first place".
>>
>> The question you are not asking and the one you really need answered is,
>> "what am I expecting automated tools to do for me".
>> Even at the tens of thousands of dollars a year level, the tools require
>> much babysitting and tuning to get any decent results.
>>
>> tl;dr: w3af works on all technologies, and finds many classes of flaws,
>> if not in all circumstances. Experience is still more important then
>> tooling in Application Security, and I highly recommend you grab
>> something like Web Security Dojo or Samurai and Moth and see how the
>> tools work, what the limitations are, and how to discern false positives
>> for yourself.
>>
>> --
>> | Steven Pinkham, Security Consultant |
>> | http://www.mavensecurity.com |
>> | GPG public key ID CD31CAFB |
>>
>>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
