WOW! Thanks Andres for your perfect explanation :) You made things perfectly clear!
Thanks Davide On 20 April 2011 17:41, Andres Riancho <[email protected]> wrote: > Davide, > > I'll throw in some numbers based on my personal appreciation: > > On Wed, Apr 20, 2011 at 11:11 AM, davide sozzi <[email protected]> wrote: >> Thanks all for your kind answers :) >> >> So even if W3AF doesn't cover all Top 10 OWASP, can someone please >> tell me which of the following points are covered (even partially) >> >> Thanks a lot: >> >> A1-Injection > > Yes, 90% > >> A2-Cross Site Scripting (XSS) > > Yes, 100% > >> A3-Broken Authentication and Session Management > > Yes, 30% > >> A4-Insecure Direct Object References > > Yes, 30% > >> A5-Cross Site Request Forgery (CSRF) > > Yes, but very poorly > >> A6-Security Misconfiguration > > Yes, 50% > >> A7-Insecure Cryptographic Storage > > Yes, 20% > >> A8-Failure to Restrict URL Access > > Yes, 10% > >> A9-Insufficient Transport Layer Protection > > Yes, 80% > >> A10-Unvalidated Redirects and Forwards > > Yes, 80% > > Something important to notice is that OWASP Top10 is about RISKS and > what most web application security scanners find are vulnerabilities. > It might sound like simply words, but in this case 1 Risk has many > vulnerabilities inside. Also, given OWASP's definition of Top10, there > is not a clear indication of EXACTLY which vulnerabilities belong to > each risk. For some, it's very clear, for some it's not. > > Also important on this matter is "personal appreciation" of the risk. > For example, I analyze Risk #1 and see that it has 200 vulnerabilities > inside; BUT only 25 of those 200 are really *seen in the wild*, so > from my perspective, if w3af covers those 25, then we're at 100%. From > other person's perspective, it might be that he thinks that we only > cover 1/8 of A1 because he also wants to check for wierd > vulnerabilities that were present in 80's applications. > > On top of that... what about risk #11 ? and risk #34? There are more > risks than the OWASP Top10 (which is a good starting point, but no the > only thing to think about). > > Finally, and because I don't want to be writing this email for three > days (ahh, I could be ranting about this for that long? w0w, I need > therapy) , a quick example: > - w3af has a plugin that finds XSS vulnerabilities > - w3af can find vulnerabilities in HTML based websites > - Then, w3af covers A2. > > or not? > > - w3af has a plugin that finds XSS vulnerabilities > - w3af can find vulnerabilities in HTML based websites > - The user wants to use w3af to scan a website that is HEAVLY based on > Flash > - w3af doesn't know how to handle Flash files, and won't be able > to find XSS in that application > - Then, w3af doesn't cover A2. > > Ahhh, I love this discussion! I could go on for days :) Who wants to > invite me to a conference so I can rant about the OWASP Top10 , its > implementation in web application scanners and what the scanners > really claim they do? :) > > > Regards, > >> >> Davide >> >> On 20 April 2011 15:38, Paolo Perego <[email protected]> wrote: >>> On 20 April 2011 15:14, davide sozzi <[email protected]> wrote: >>>> >>>> Hi, >>>> >>>> ok thanks but then this bring me to the next question: when a web >>>> scanner company say: "we cover all top10 OWASP risks" are they lying >>>> then (see Acunetix, Sandcat etc)? >>> >>> Hi Davide, when companies says that they are compliant to something or >>> someone and they pretend to have the 'catch it all' tool 100% accurate, 100% >>> false positive free, 0 configuration ... well lying... what a ugly word... >>> sales men don't lay they tell you a 'different' truth. >>> It the same stories when consultancies says they are leader of one >>> technology or so on, isn't it? >>> [1] 100% accuracy in security, I'm sorry but as Andres saw even with an >>> hybrid approach (black+white test) does *not* exists. >>> Ciao ciao >>> Paolo >>> -- >>> "... static analysis is fun, again!" >>> >>> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon >>> OWASP Esapi Ruby project leader, >>> https://github.com/thesp0nge/owasp-esapi-ruby >>> >> > > > > -- > Andrés Riancho > Director of Web Security at Rapid7 LLC > Founder at Bonsai Information Security > Project Leader at w3af > ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
