Hi everyone, great discussion! I see *arachni* was mentioned for XSS, so let
me add *sqlmap* as another great open source tool for SQLi (three types).
I always hear that w3af does not support AJAX and Flash. Anyone knows of an
open source tool that can help with these two?
Thanks in advance,
On Wed, Apr 20, 2011 at 6:51 PM, Steve Pinkham <[email protected]>wrote:
> On 04/20/2011 09:14 AM, davide sozzi wrote:
> > Hi,
> >
> > ok thanks but then this bring me to the next question: when a web
> > scanner company say: "we cover all top10 OWASP risks" are they lying
> > then (see Acunetix, Sandcat etc)?
> >
> > Thanks
> >
> > Davide
> >
>
> Davide,
> It seems that you didn't read the first link I sent, so I'll send it
> again, along with the most applicable quote:
>
> "For our part, WhiteHat Security is in the website security business and
> provides a vulnerability management service.
> Our Sentinel Service incorporates expert analysis with proprietary
> scanning technology. Using a black box process, we assess hundreds of
> websites a month, more than anyone in the industry. What we’ve come to
> understand is that a significant portion of vulnerabilities are
> virtually impossible for scanners to find. By the same token, even the
> most seasoned Web security experts cannot find many issues in a reliable
> and consistent manner. To achieve full vulnerability coverage and
> therefore complete vulnerability management, we must rely on a
> combination and integration of both methods."
>
> https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf
>
> Yes, any scanner who tells you "we cover all top10 OWASP risks" is flat
> out, bold faced lying.
>
> I'll point to the WASC scanner evaluation criteria project also, which
> is a good guide to the things you need to think about when choosing a
> scanner, and how to evaluate them to know their limitations:
>
>
> http://projects.webappsec.org/w/page/13246986/Web-Application-Security-Scanner-Evaluation-Criteria
>
> Appendix A on how to conduct a scanner evaluation should be particularly
> useful to you.
>
> IMHO, the Top Ten is the worst document OWASP makes, particularly for
> your confusion. Check out the Testing Guide and the ASVS for more
> insight in what applicaion security testing should look like.
>
> In fairness, if you read the first few pages of the OWASP Top Ten PDF
> guide itself, it does give good guidance that the Top Ten doesn't mean
> anything and points you to their other, better resources.
>
> As an aside, I don't like the top ten much anyway, and when we write
> reports for our clients, we code findings with the much more descriptive
> WASC threat classification.
> http://projects.webappsec.org/w/page/13246978/Threat-Classification
> You can see how they compare here:
>
> http://projects.webappsec.org/w/page/13246975/Threat-Classification-Taxonomy-Cross-Reference-View
>
> --
> | Steven Pinkham, Security Consultant |
> | http://www.mavensecurity.com |
> | GPG public key ID CD31CAFB |
>
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> W3af-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/w3af-users
>
>
--
*Regards,
Houcem*
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
W3af-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/w3af-users
