[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners

Hello all,

I am currently working on web/web application security issues in
enterprise networks as an academic study. I think, the fundamental problem
(especially in campus networks), there is usually no "network awareness".
In enterprise networks, hundreds of different web servers and different
web applications can be present, where usually nobody knows detailed info
about web servers and applications running on them.

Maybe most of you know,
For security testing environment there is Stanford Securibench, which is a
set of open source real-life programs to be used as a testing ground for
static and dynamic security tools. Release .91a focuses on Web-based
applications written in Java.
http://suif.stanford.edu/~livshits/securibench/

There are many web/ web application security scanners. If anyone intrested
in this subject and also for a joint work, s/he is always welcome.

Enis Karaarslan
Ege University

> I added the WASC list, since many folks there are sensitive
> to this same subject.
>
>> -----Original Message-----
>> From: René Palige [mailto:rwp@xxxxxx]
>>
>> I?m currently working on my bachelor thesis which is about
>> the development  of a testsuite for different Web Application
>> Security Scanners. My goal is to provide an environment
>
> This, I discovered, was very challenging. When I post the OWASP
> Tools v3, one section of it is going to be about my trials and
> tribulations, mistakes, misfires and general stupidity in trying
> to scientifically, systematically evaluate tools, which culminated
> in the HEWA2 book.
>
> No one has done a good job at this, most reviews are just plain
> crap (sorry, everyone, it's the truth; if there's a good review
> to defend please step up to the plate).
>
> I have been holding off releasing v3 (which is a narrative doc)
> until I can put it out for peer review before making a final,
> hard, PDF. (should I just post to the list and let everyone chime
> in?...I'm afraid to do this b/c some of it is _not_nice_) I hope
> someone will wikify the end product.
>
>>I?m planning to use OWASPs WebGoat as some kind of groundwork.
>
> Not bad, but you will need more. Unless your thesis is "how
> effectively do webappscanner vendors code to detect issues
> in WebGoat?"
>
>>Would it be best to focus on "real-life scenarios"?
>
> That's what I fell upon. It's a bit more realistic.
>
> You get no tautology from the scanner vendors. You get real
> use-case scenarios, and a story to tell.
>
>> Or rather to cover as many
>> aspects of a special class of vulnerabilities as possible?
>
> This, also, I tackled, and have an evolving-complexity XSS
> generator; I have a couple of types now and continue to add
> more as time permits, and it is use specifically to generate
> XSS-vuln pages of varying filter/encoding complexity.
>
> It really should be in SiteGenerator (owasp.net) but it helps
> me make sure I'm not misunderstanding something to force myself
> to write complicated mistakes out by hand. :)
>
> Maybe I'll just rip the scanner eval story and post just that.
>
> Very cool, we need some smart grad work here.
>
> Arian J. Evans
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>




----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org