[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners

From: "Jeff Robertson" <jeff.robertson@xxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Date: Thu, 24 Aug 2006 08:09:08 -0400

------_=_NextPart_001_01C6C776.473386BD
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


"Real-life" programs meaning applications intended for actual use, not =
just for security benchmarking? Wouldn't you want to fix the vulns you =
find in those, thereby ruining their value as benchmarks?

-----Original Message-----
From: Enis Karaarslan [mailto:enis.karaarslan@ege.edu.tr]
Sent: Thu 8/24/2006 3:08 AM
To: Evans, Arian; rwp@gmx.de
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: Re: [WEB SECURITY] RE: Environment for testing WebApp Security  =
   Scanners
=20
Hello all,

I am currently working on web/web application security issues in
enterprise networks as an academic study. I think, the fundamental =
problem
(especially in campus networks), there is usually no "network =
awareness".
In enterprise networks, hundreds of different web servers and different
web applications can be present, where usually nobody knows detailed =
info
about web servers and applications running on them.

Maybe most of you know,
For security testing environment there is Stanford Securibench, which is =
a
set of open source real-life programs to be used as a testing ground for
static and dynamic security tools. Release .91a focuses on Web-based
applications written in Java.
http://suif.stanford.edu/~livshits/securibench/

There are many web/ web application security scanners. If anyone =
intrested
in this subject and also for a joint work, s/he is always welcome.

Enis Karaarslan
Ege University

> I added the WASC list, since many folks there are sensitive
> to this same subject.
>
>> -----Original Message-----
>> From: Ren=E9 Palige [mailto:rwp@gmx.de]
>>
>> I?m currently working on my bachelor thesis which is about
>> the development  of a testsuite for different Web Application
>> Security Scanners. My goal is to provide an environment
>
> This, I discovered, was very challenging. When I post the OWASP
> Tools v3, one section of it is going to be about my trials and
> tribulations, mistakes, misfires and general stupidity in trying
> to scientifically, systematically evaluate tools, which culminated
> in the HEWA2 book.
>
> No one has done a good job at this, most reviews are just plain
> crap (sorry, everyone, it's the truth; if there's a good review
> to defend please step up to the plate).
>
> I have been holding off releasing v3 (which is a narrative doc)
> until I can put it out for peer review before making a final,
> hard, PDF. (should I just post to the list and let everyone chime
> in?...I'm afraid to do this b/c some of it is _not_nice_) I hope
> someone will wikify the end product.
>
>>I?m planning to use OWASPs WebGoat as some kind of groundwork.
>
> Not bad, but you will need more. Unless your thesis is "how
> effectively do webappscanner vendors code to detect issues
> in WebGoat?"
>
>>Would it be best to focus on "real-life scenarios"?
>
> That's what I fell upon. It's a bit more realistic.
>
> You get no tautology from the scanner vendors. You get real
> use-case scenarios, and a story to tell.
>
>> Or rather to cover as many
>> aspects of a special class of vulnerabilities as possible?
>
> This, also, I tackled, and have an evolving-complexity XSS
> generator; I have a couple of types now and continue to add
> more as time permits, and it is use specifically to generate
> XSS-vuln pages of varying filter/encoding complexity.
>
> It really should be in SiteGenerator (owasp.net) but it helps
> me make sure I'm not misunderstanding something to force myself
> to write complicated mistakes out by hand. :)
>
> Maybe I'll just rip the scanner eval story and post just that.
>
> Very cool, we need some smart grad work here.
>
> Arian J. Evans
>
>
> =
-------------------------------------------------------------------------=
---
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>




-------------------------------------------------------------------------=
---
The Web Security Mailing List:=20
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:=20
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



------_=_NextPart_001_01C6C776.473386BD
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7650.28">
<TITLE>RE: [WEB SECURITY] RE: Environment for testing WebApp Security    =
 Scanners</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>

<P><FONT SIZE=3D2>&quot;Real-life&quot; programs meaning applications =
intended for actual use, not just for security benchmarking? Wouldn't =
you want to fix the vulns you find in those, thereby ruining their value =
as benchmarks?<BR>
<BR>
-----Original Message-----<BR>
From: Enis Karaarslan [<A =
HREF=3D"mailto:enis.karaarslan@ege.edu.tr";>mailto:enis.karaarslan@ege.edu=
.tr</A>]<BR>
Sent: Thu 8/24/2006 3:08 AM<BR>
To: Evans, Arian; rwp@gmx.de<BR>
Cc: websecurity@webappsec.org; webappsec@securityfocus.com<BR>
Subject: Re: [WEB SECURITY] RE: Environment for testing WebApp =
Security&nbsp;&nbsp;&nbsp;&nbsp; Scanners<BR>
<BR>
Hello all,<BR>
<BR>
I am currently working on web/web application security issues in<BR>
enterprise networks as an academic study. I think, the fundamental =
problem<BR>
(especially in campus networks), there is usually no &quot;network =
awareness&quot;.<BR>
In enterprise networks, hundreds of different web servers and =
different<BR>
web applications can be present, where usually nobody knows detailed =
info<BR>
about web servers and applications running on them.<BR>
<BR>
Maybe most of you know,<BR>
For security testing environment there is Stanford Securibench, which is =
a<BR>
set of open source real-life programs to be used as a testing ground =
for<BR>
static and dynamic security tools. Release .91a focuses on Web-based<BR>
applications written in Java.<BR>
<A =
HREF=3D"http://suif.stanford.edu/~livshits/securibench/";>http://suif.stan=
ford.edu/~livshits/securibench/</A><BR>
<BR>
There are many web/ web application security scanners. If anyone =
intrested<BR>
in this subject and also for a joint work, s/he is always welcome.<BR>
<BR>
Enis Karaarslan<BR>
Ege University<BR>
<BR>
&gt; I added the WASC list, since many folks there are sensitive<BR>
&gt; to this same subject.<BR>
&gt;<BR>
&gt;&gt; -----Original Message-----<BR>
&gt;&gt; From: Ren=E9 Palige [<A =
HREF=3D"mailto:rwp@gmx.de";>mailto:rwp@gmx.de</A>]<BR>
&gt;&gt;<BR>
&gt;&gt; I?m currently working on my bachelor thesis which is about<BR>
&gt;&gt; the development&nbsp; of a testsuite for different Web =
Application<BR>
&gt;&gt; Security Scanners. My goal is to provide an environment<BR>
&gt;<BR>
&gt; This, I discovered, was very challenging. When I post the OWASP<BR>
&gt; Tools v3, one section of it is going to be about my trials and<BR>
&gt; tribulations, mistakes, misfires and general stupidity in =
trying<BR>
&gt; to scientifically, systematically evaluate tools, which =
culminated<BR>
&gt; in the HEWA2 book.<BR>
&gt;<BR>
&gt; No one has done a good job at this, most reviews are just plain<BR>
&gt; crap (sorry, everyone, it's the truth; if there's a good review<BR>
&gt; to defend please step up to the plate).<BR>
&gt;<BR>
&gt; I have been holding off releasing v3 (which is a narrative doc)<BR>
&gt; until I can put it out for peer review before making a final,<BR>
&gt; hard, PDF. (should I just post to the list and let everyone =
chime<BR>
&gt; in?...I'm afraid to do this b/c some of it is _not_nice_) I =
hope<BR>
&gt; someone will wikify the end product.<BR>
&gt;<BR>
&gt;&gt;I?m planning to use OWASPs WebGoat as some kind of =
groundwork.<BR>
&gt;<BR>
&gt; Not bad, but you will need more. Unless your thesis is =
&quot;how<BR>
&gt; effectively do webappscanner vendors code to detect issues<BR>
&gt; in WebGoat?&quot;<BR>
&gt;<BR>
&gt;&gt;Would it be best to focus on &quot;real-life =
scenarios&quot;?<BR>
&gt;<BR>
&gt; That's what I fell upon. It's a bit more realistic.<BR>
&gt;<BR>
&gt; You get no tautology from the scanner vendors. You get real<BR>
&gt; use-case scenarios, and a story to tell.<BR>
&gt;<BR>
&gt;&gt; Or rather to cover as many<BR>
&gt;&gt; aspects of a special class of vulnerabilities as possible?<BR>
&gt;<BR>
&gt; This, also, I tackled, and have an evolving-complexity XSS<BR>
&gt; generator; I have a couple of types now and continue to add<BR>
&gt; more as time permits, and it is use specifically to generate<BR>
&gt; XSS-vuln pages of varying filter/encoding complexity.<BR>
&gt;<BR>
&gt; It really should be in SiteGenerator (owasp.net) but it helps<BR>
&gt; me make sure I'm not misunderstanding something to force myself<BR>
&gt; to write complicated mistakes out by hand. :)<BR>
&gt;<BR>
&gt; Maybe I'll just rip the scanner eval story and post just that.<BR>
&gt;<BR>
&gt; Very cool, we need some smart grad work here.<BR>
&gt;<BR>
&gt; Arian J. Evans<BR>
&gt;<BR>
&gt;<BR>
&gt; =
-------------------------------------------------------------------------=
---<BR>
&gt; The Web Security Mailing List:<BR>
&gt; <A =
HREF=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>
&gt;<BR>
&gt; The Web Security Mailing List Archives:<BR>
&gt; <A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
&gt; <A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
&gt;<BR>
&gt;<BR>
<BR>
<BR>
<BR>
<BR>
-------------------------------------------------------------------------=
---<BR>
The Web Security Mailing List:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</A><BR>
<BR>
The Web Security Mailing List Archives:<BR>
<A =
HREF=3D"http://www.webappsec.org/lists/websecurity/archive/";>http://www.w=
ebappsec.org/lists/websecurity/archive/</A><BR>
<A =
HREF=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</A> [RSS Feed]<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C6C776.473386BD--

Follow-Ups:
- RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
  - From: Joseph Peloquin
- RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
  - From: Joseph Peloquin

References:
- [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
  - From: Evans, Arian
- Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
  - From: Enis Karaarslan

Prev by Date: Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Next by Date: RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Previous by thread: Re: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Next by thread: RE: [WEB SECURITY] RE: Environment for testing WebApp Security Scanners
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site