[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] RE: Environment for testing WebApp Security Scanners

From: "Evans, Arian" <Arian.Evans@xxxxxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Date: Wed, 23 Aug 2006 16:54:52 -0500

I added the WASC list, since many folks there are sensitive
to this same subject.

> -----Original Message-----
> From: René Palige [mailto:rwp@xxxxxx] 
> 
> I?m currently working on my bachelor thesis which is about 
> the development  of a testsuite for different Web Application
> Security Scanners. My goal is to provide an environment

This, I discovered, was very challenging. When I post the OWASP
Tools v3, one section of it is going to be about my trials and
tribulations, mistakes, misfires and general stupidity in trying
to scientifically, systematically evaluate tools, which culminated
in the HEWA2 book.

No one has done a good job at this, most reviews are just plain
crap (sorry, everyone, it's the truth; if there's a good review
to defend please step up to the plate).

I have been holding off releasing v3 (which is a narrative doc)
until I can put it out for peer review before making a final,
hard, PDF. (should I just post to the list and let everyone chime
in?...I'm afraid to do this b/c some of it is _not_nice_) I hope
someone will wikify the end product.

>I?m planning to use OWASPs WebGoat as some kind of groundwork.

Not bad, but you will need more. Unless your thesis is "how
effectively do webappscanner vendors code to detect issues
in WebGoat?"

>Would it be best to focus on "real-life scenarios"?

That's what I fell upon. It's a bit more realistic.

You get no tautology from the scanner vendors. You get real
use-case scenarios, and a story to tell.

> Or rather to cover as many  
> aspects of a special class of vulnerabilities as possible?

This, also, I tackled, and have an evolving-complexity XSS
generator; I have a couple of types now and continue to add
more as time permits, and it is use specifically to generate
XSS-vuln pages of varying filter/encoding complexity.

It really should be in SiteGenerator (owasp.net) but it helps
me make sure I'm not misunderstanding something to force myself
to write complicated mistakes out by hand. :)

Maybe I'll just rip the scanner eval story and post just that.

Very cool, we need some smart grad work here.

Arian J. Evans


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
  - From: Enis Karaarslan

Prev by Date: Re: [WEB SECURITY] Google Redirect URL actively used for Phishing
Next by Date: Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Previous by thread: [WEB SECURITY] WiKID 2.1.1 released
Next by thread: Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org