Houcem, On Wed, Apr 20, 2011 at 3:38 PM, Houcem HACHICHA <[email protected]> wrote: > Hi everyone, great discussion! I see arachni was mentioned for XSS, so let > me add sqlmap as another great open source tool for SQLi (three types). > I always hear that w3af does not support AJAX and Flash. Anyone knows of an > open source tool that can help with these two?
None that I'm aware of. > Thanks in advance, > On Wed, Apr 20, 2011 at 6:51 PM, Steve Pinkham <[email protected]> > wrote: >> >> On 04/20/2011 09:14 AM, davide sozzi wrote: >> > Hi, >> > >> > ok thanks but then this bring me to the next question: when a web >> > scanner company say: "we cover all top10 OWASP risks" are they lying >> > then (see Acunetix, Sandcat etc)? >> > >> > Thanks >> > >> > Davide >> > >> >> Davide, >> It seems that you didn't read the first link I sent, so I'll send it >> again, along with the most applicable quote: >> >> "For our part, WhiteHat Security is in the website security business and >> provides a vulnerability management service. >> Our Sentinel Service incorporates expert analysis with proprietary >> scanning technology. Using a black box process, we assess hundreds of >> websites a month, more than anyone in the industry. What we’ve come to >> understand is that a significant portion of vulnerabilities are >> virtually impossible for scanners to find. By the same token, even the >> most seasoned Web security experts cannot find many issues in a reliable >> and consistent manner. To achieve full vulnerability coverage and >> therefore complete vulnerability management, we must rely on a >> combination and integration of both methods." >> >> https://www.whitehatsec.com/home/assets/WPOWASPtopten1109.pdf >> >> Yes, any scanner who tells you "we cover all top10 OWASP risks" is flat >> out, bold faced lying. >> >> I'll point to the WASC scanner evaluation criteria project also, which >> is a good guide to the things you need to think about when choosing a >> scanner, and how to evaluate them to know their limitations: >> >> >> http://projects.webappsec.org/w/page/13246986/Web-Application-Security-Scanner-Evaluation-Criteria >> >> Appendix A on how to conduct a scanner evaluation should be particularly >> useful to you. >> >> IMHO, the Top Ten is the worst document OWASP makes, particularly for >> your confusion. Check out the Testing Guide and the ASVS for more >> insight in what applicaion security testing should look like. >> >> In fairness, if you read the first few pages of the OWASP Top Ten PDF >> guide itself, it does give good guidance that the Top Ten doesn't mean >> anything and points you to their other, better resources. >> >> As an aside, I don't like the top ten much anyway, and when we write >> reports for our clients, we code findings with the much more descriptive >> WASC threat classification. >> http://projects.webappsec.org/w/page/13246978/Threat-Classification >> You can see how they compare here: >> >> http://projects.webappsec.org/w/page/13246975/Threat-Classification-Taxonomy-Cross-Reference-View >> >> -- >> | Steven Pinkham, Security Consultant | >> | http://www.mavensecurity.com | >> | GPG public key ID CD31CAFB | >> >> >> >> ------------------------------------------------------------------------------ >> Benefiting from Server Virtualization: Beyond Initial Workload >> Consolidation -- Increasing the use of server virtualization is a top >> priority.Virtualization can reduce costs, simplify management, and improve >> application availability and disaster protection. Learn more about >> boosting >> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users >> > > > > -- > Regards, > Houcem > > > > > ------------------------------------------------------------------------------ > Benefiting from Server Virtualization: Beyond Initial Workload > Consolidation -- Increasing the use of server virtualization is a top > priority.Virtualization can reduce costs, simplify management, and improve > application availability and disaster protection. Learn more about boosting > the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users > > -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
