Davide,
I'll throw in some numbers based on my personal appreciation:
On Wed, Apr 20, 2011 at 11:11 AM, davide sozzi <[email protected]> wrote:
> Thanks all for your kind answers :)
>
> So even if W3AF doesn't cover all Top 10 OWASP, can someone please
> tell me which of the following points are covered (even partially)
>
> Thanks a lot:
>
> A1-Injection
Yes, 90%
> A2-Cross Site Scripting (XSS)
Yes, 100%
> A3-Broken Authentication and Session Management
Yes, 30%
> A4-Insecure Direct Object References
Yes, 30%
> A5-Cross Site Request Forgery (CSRF)
Yes, but very poorly
> A6-Security Misconfiguration
Yes, 50%
> A7-Insecure Cryptographic Storage
Yes, 20%
> A8-Failure to Restrict URL Access
Yes, 10%
> A9-Insufficient Transport Layer Protection
Yes, 80%
> A10-Unvalidated Redirects and Forwards
Yes, 80%
Something important to notice is that OWASP Top10 is about RISKS and
what most web application security scanners find are vulnerabilities.
It might sound like simply words, but in this case 1 Risk has many
vulnerabilities inside. Also, given OWASP's definition of Top10, there
is not a clear indication of EXACTLY which vulnerabilities belong to
each risk. For some, it's very clear, for some it's not.
Also important on this matter is "personal appreciation" of the risk.
For example, I analyze Risk #1 and see that it has 200 vulnerabilities
inside; BUT only 25 of those 200 are really *seen in the wild*, so
from my perspective, if w3af covers those 25, then we're at 100%. From
other person's perspective, it might be that he thinks that we only
cover 1/8 of A1 because he also wants to check for wierd
vulnerabilities that were present in 80's applications.
On top of that... what about risk #11 ? and risk #34? There are more
risks than the OWASP Top10 (which is a good starting point, but no the
only thing to think about).
Finally, and because I don't want to be writing this email for three
days (ahh, I could be ranting about this for that long? w0w, I need
therapy) , a quick example:
- w3af has a plugin that finds XSS vulnerabilities
- w3af can find vulnerabilities in HTML based websites
- Then, w3af covers A2.
or not?
- w3af has a plugin that finds XSS vulnerabilities
- w3af can find vulnerabilities in HTML based websites
- The user wants to use w3af to scan a website that is HEAVLY based on Flash
- w3af doesn't know how to handle Flash files, and won't be able
to find XSS in that application
- Then, w3af doesn't cover A2.
Ahhh, I love this discussion! I could go on for days :) Who wants to
invite me to a conference so I can rant about the OWASP Top10 , its
implementation in web application scanners and what the scanners
really claim they do? :)
Regards,
>
> Davide
>
> On 20 April 2011 15:38, Paolo Perego <[email protected]> wrote:
>> On 20 April 2011 15:14, davide sozzi <[email protected]> wrote:
>>>
>>> Hi,
>>>
>>> ok thanks but then this bring me to the next question: when a web
>>> scanner company say: "we cover all top10 OWASP risks" are they lying
>>> then (see Acunetix, Sandcat etc)?
>>
>> Hi Davide, when companies says that they are compliant to something or
>> someone and they pretend to have the 'catch it all' tool 100% accurate, 100%
>> false positive free, 0 configuration ... well lying... what a ugly word...
>> sales men don't lay they tell you a 'different' truth.
>> It the same stories when consultancies says they are leader of one
>> technology or so on, isn't it?
>> [1] 100% accuracy in security, I'm sorry but as Andres saw even with an
>> hybrid approach (black+white test) does *not* exists.
>> Ciao ciao
>> Paolo
>> --
>> "... static analysis is fun, again!"
>>
>> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
>> OWASP Esapi Ruby project leader,
>> https://github.com/thesp0nge/owasp-esapi-ruby
>>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
