Hi, ok thanks but then this bring me to the next question: when a web scanner company say: "we cover all top10 OWASP risks" are they lying then (see Acunetix, Sandcat etc)?
Thanks Davide On 20 April 2011 15:05, Andres Riancho <[email protected]> wrote: > Davide, > > On Wed, Apr 20, 2011 at 9:30 AM, davide sozzi <[email protected]> wrote: >> Hi, >> >> thanks for your reply. But if I understood correctly, W3AF is able to >> cover all Top 10 OWASP risks (using different plugins) > > No, what Steve said (and I agree with him at a 99% level) is that > no black-box web application scanner can identify ALL vulnerabilities > in OWASP Top10 > >> but it's not >> 100% accurate right? > > No black or white box analysis tool is 100% accurate. > >> Also does W3AF test web services? > > Not at this time. We had support for it in the past, but we > haven't touched that code section in some time and I think its broken. > >> >> Thanks >> >> Davide >> >> >> On 20 April 2011 02:32, Steve Pinkham <[email protected]> wrote: >>> On 04/19/2011 07:44 PM, davide sozzi wrote: >>>> Hi all, >>>> >>>> I am looking around for a web security scanner and I was checking >>>> various tool then I found W3AF, Well since this is all new stuff for >>>> me I was wondering, what's the W3AF Top 10 OWASP coverage? Also what >>>> kind of files are scanned by W3AF? >>>> >>>> I am sorry but I couldn't find the answer to these questions on the FAQ >>>> section. >>>> >>>> Thanks >>>> >>>> Davide >>> >>> We don't evaluate scanners that way. >>> >>> Here's why: >>> https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf >>> >>> There is no scanner on earth capable of finding everything in the top >>> 10. Even if you narrow it down to SQL Injection which is a subset of A1 >>> - Injection flaws from OWASP top 10, there is no scanner out there which >>> can find every instance of it. >>> >>> w3af has plugins for most things that are automateable. It has a fairly >>> broad coverage, but has some bugs that make it miss a number of things >>> still. Much like any other scanner. >>> >>> See this blog for some relevant info limited to recent XSS and SQL >>> injection testing: http://sectooladdict.blogspot.com/ >>> >>> Of course, since this test everyone has been trying to up their game to >>> pass it to, and so far in the free space >>> arachni(https://github.com/Zapotek/arachni) has done the best job on >>> XSS, and there were some good tools in that report for SQL injection. >>> >>> At the moment, w3af excels at finding the "wierd" stuff. No other free >>> tool has the breadth it has. >>> >>> See the "audit" and "Grep" parts of this page for the things you are >>> asking for. >>> >>> http://w3af.sourceforge.net/plugin-descriptions.php >>> >>> The more interesting ones are the discovery plugins. The problem most >>> scanners have is not as much "can I find the flaws" but "can I find >>> requests to test for flaws in the first place". >>> >>> The question you are not asking and the one you really need answered is, >>> "what am I expecting automated tools to do for me". >>> Even at the tens of thousands of dollars a year level, the tools require >>> much babysitting and tuning to get any decent results. >>> >>> tl;dr: w3af works on all technologies, and finds many classes of flaws, >>> if not in all circumstances. Experience is still more important then >>> tooling in Application Security, and I highly recommend you grab >>> something like Web Security Dojo or Samurai and Moth and see how the >>> tools work, what the limitations are, and how to discern false positives >>> for yourself. >>> >>> -- >>> | Steven Pinkham, Security Consultant | >>> | http://www.mavensecurity.com | >>> | GPG public key ID CD31CAFB | >>> >>> >> >> ------------------------------------------------------------------------------ >> Benefiting from Server Virtualization: Beyond Initial Workload >> Consolidation -- Increasing the use of server virtualization is a top >> priority.Virtualization can reduce costs, simplify management, and improve >> application availability and disaster protection. Learn more about boosting >> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
