To that point, I've seen SQLi that had minimal risk besides nuisance as the
DB was a secured POSTGRES and the user had low privs. I've also seen SQLi
where what looked like a tiny pointless hole actually exposed PII. On the
surface people would have viewed the second as less important until I
demonstrated the actual risk.
That said, w3af would only have pointed out that SQL existed.
No scanner can evaluate logic faults (manipulating price in a hidden field
of a shopping cart).
No scanner that I've seen can correctly ID all forms of XSS. I've used
IBM's AppScan and it failed to understand sanitized responses. In this case
the application stuck the XSS in a text field and returned it to the user in
an error message. The browser correctly rendered the malicious XSS as text
and not HTML. The scanner could only see that the malicious code was
returned. Ergo, false positive.
All scanners require manual followup to verify the quality of the scan.
Matt
On Wed, Apr 20, 2011 at 11:41 AM, Andres Riancho
<[email protected]>wrote:
> Davide,
>
> I'll throw in some numbers based on my personal appreciation:
>
> On Wed, Apr 20, 2011 at 11:11 AM, davide sozzi <[email protected]>
> wrote:
> > Thanks all for your kind answers :)
> >
> > So even if W3AF doesn't cover all Top 10 OWASP, can someone please
> > tell me which of the following points are covered (even partially)
> >
> > Thanks a lot:
> >
> > A1-Injection
>
> Yes, 90%
>
> > A2-Cross Site Scripting (XSS)
>
> Yes, 100%
>
> > A3-Broken Authentication and Session Management
>
> Yes, 30%
>
> > A4-Insecure Direct Object References
>
> Yes, 30%
>
> > A5-Cross Site Request Forgery (CSRF)
>
> Yes, but very poorly
>
> > A6-Security Misconfiguration
>
> Yes, 50%
>
> > A7-Insecure Cryptographic Storage
>
> Yes, 20%
>
> > A8-Failure to Restrict URL Access
>
> Yes, 10%
>
> > A9-Insufficient Transport Layer Protection
>
> Yes, 80%
>
> > A10-Unvalidated Redirects and Forwards
>
> Yes, 80%
>
> Something important to notice is that OWASP Top10 is about RISKS and
> what most web application security scanners find are vulnerabilities.
> It might sound like simply words, but in this case 1 Risk has many
> vulnerabilities inside. Also, given OWASP's definition of Top10, there
> is not a clear indication of EXACTLY which vulnerabilities belong to
> each risk. For some, it's very clear, for some it's not.
>
> Also important on this matter is "personal appreciation" of the risk.
> For example, I analyze Risk #1 and see that it has 200 vulnerabilities
> inside; BUT only 25 of those 200 are really *seen in the wild*, so
> from my perspective, if w3af covers those 25, then we're at 100%. From
> other person's perspective, it might be that he thinks that we only
> cover 1/8 of A1 because he also wants to check for wierd
> vulnerabilities that were present in 80's applications.
>
> On top of that... what about risk #11 ? and risk #34? There are more
> risks than the OWASP Top10 (which is a good starting point, but no the
> only thing to think about).
>
> Finally, and because I don't want to be writing this email for three
> days (ahh, I could be ranting about this for that long? w0w, I need
> therapy) , a quick example:
> - w3af has a plugin that finds XSS vulnerabilities
> - w3af can find vulnerabilities in HTML based websites
> - Then, w3af covers A2.
>
> or not?
>
> - w3af has a plugin that finds XSS vulnerabilities
> - w3af can find vulnerabilities in HTML based websites
> - The user wants to use w3af to scan a website that is HEAVLY based on
> Flash
> - w3af doesn't know how to handle Flash files, and won't be able
> to find XSS in that application
> - Then, w3af doesn't cover A2.
>
> Ahhh, I love this discussion! I could go on for days :) Who wants to
> invite me to a conference so I can rant about the OWASP Top10 , its
> implementation in web application scanners and what the scanners
> really claim they do? :)
>
>
> Regards,
>
> >
> > Davide
> >
> > On 20 April 2011 15:38, Paolo Perego <[email protected]> wrote:
> >> On 20 April 2011 15:14, davide sozzi <[email protected]> wrote:
> >>>
> >>> Hi,
> >>>
> >>> ok thanks but then this bring me to the next question: when a web
> >>> scanner company say: "we cover all top10 OWASP risks" are they lying
> >>> then (see Acunetix, Sandcat etc)?
> >>
> >> Hi Davide, when companies says that they are compliant to something or
> >> someone and they pretend to have the 'catch it all' tool 100% accurate,
> 100%
> >> false positive free, 0 configuration ... well lying... what a ugly
> word...
> >> sales men don't lay they tell you a 'different' truth.
> >> It the same stories when consultancies says they are leader of one
> >> technology or so on, isn't it?
> >> [1] 100% accuracy in security, I'm sorry but as Andres saw even with an
> >> hybrid approach (black+white test) does *not* exists.
> >> Ciao ciao
> >> Paolo
> >> --
> >> "... static analysis is fun, again!"
> >>
> >> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
> >> OWASP Esapi Ruby project leader,
> >> https://github.com/thesp0nge/owasp-esapi-ruby
> >>
> >
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
--
Matt Gardenghi
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
