[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Acunetix has free XSS scanner

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] Acunetix has free XSS scanner
Date: Fri, 7 Sep 2007 18:20:31 -0700

If you go back in history, IIRC Sanctum shut down early attempts to do these.
They did it with WAVE, and I believe one other project. Which confuses me
b/c it seems they would have gone after Paros and others as well...
(Watchfire's acquisition may have changed this behavior as well)

Nota bene/libel disclaimer: I could be completely wrong on this -- this is
not attempt to dig at Sanctum, but answer Anurag's question. Feel free
to correct me here.

Anyway, the open source proxies (not scanners) have evolved beyond
some of their commercial counterparts in terms of features. For years
you have been able to edit binary data streams in Web Scarab; you could,
for example, take a serialized object from a fat client and deserialize it,
muck about with it, reserialize it, and pass it on to the server.

SPI's proxy completely lacked this ability at the same time, and Sanctum
didn't even have a proxy, though the SPI GUI and lack of memory leakage
made it fairly robust. Sensepost's proxies, while suffering from GUI-insanity,
also had some very sane and useful features.

All the free scanners, to date, are a joke. This could be my snobbery
about the subject, but I've hand fed everyone attack vectors they lack
tests for, and they still don't get them right. Not one of the commercial
desktop scanners can find what I consider to be still-trivial XSS. There's
now about 8 in my site hosted for this, that take a human about 15 minutes
to find, and the most expensive desktop scanner still finds *zero*. (They
do, however, find some false positives)

I like XSS as a benchmark, since so many other issues involving parser-
focused attacks, from Blind SQL Injection to HTTP Response Splitting,
all can leverage the same encoding, escaping, and malformed URI
mechanisms for squeezing the attack in. XSS is good for comparative
analysis because it is everywhere, all over, easy to find by hand and
easy to measure automated detection performance.

If someone is finding a complex XSS, and wires their Blind SQLi or HTTP RS
up to the same ideas, then they'll likely find those too. No one in commercial
land is doing this correctly today, and I mean *no one*. The vendor with the
most crazy and insane hype around their claims for all this stuff actually
does the worst job at it.

I find it highly unlikely that we'll see a useful open source tool anytime soon
that is a useful replacement, let alone augmentation for, human eyeballs.

However -- I love the spirit of the idea. So there -- the gauntlet is thrown
down; prove me wrong. I'll gladly eat my posts.

...

(If RSA accepts it I'll have a juicy presentation on this, though the low-level
tech bits I may need to save for a BlackHat, given RSA's business focus.)

-- 
Arian Evans
software security stuff

On 9/7/07, Anurag Agarwal <a_agrawwal@xxxxxxxxx> wrote:
>
>
> Travis -
>
> has their been any good open source scanner which can threaten the
> commercial ones?
>
> If there comes out a good scanner which can outbeat some of the commercial
> tools then how long do you think it would take for companies to shut them
> down. The whole concept of web application security is driven by fault
> injection so if you have the patent on fault injection then basically i am
> at your mercy. am i not?
>
>
>
> Cheers,
>
>
>
> Anurag Agarwal
>
>
>
> SEEC - An application security search engine
>
> Web: www.attacklabs.com , www.myappsecurity.com
>
> Email : anurag.agarwal@xxxxxxxxx
>
> Blog : http://myappsecurity.blogspot.com
>
>
>
>
>
> ----- Original Message ----
> From: Travis Altman <travisaltman@xxxxxxxxx>
> To: websecurity@xxxxxxxxxxxxx
> Sent: Friday, September 7, 2007 5:06:47 AM
> Subject: Re: [WEB SECURITY] Acunetix has free XSS scanner
>
> Anurag,
>
> Maybe I haven't been paying enough attention to the news, have their been
> cases against small independent open source scanners?
>
> Travis
>
> http://travisaltman.com
>
>
>
> On 9/7/07, Anurag Agarwal <a_agrawwal@xxxxxxxxx> wrote:
> >
> >
> >
> >
> > If you guys really want an open source scanner then first you need to
> start raising voice against some of the crazy patents that are being filed.
> Writing a scanner is something people in the community may do on their free
> time but who will fight against those lawyers when they sue you for patent
> infrigement.
> >
>
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- Re: [WEB SECURITY] Acunetix has free XSS scanner
  - From: Anurag Agarwal

Prev by Date: Re: [WEB SECURITY] Acunetix has free XSS scanner
Next by Date: [WEB SECURITY] [XCon Xfocus / OWASP Live 0 Conference] Presentation Material is Released.
Previous by thread: Re: [WEB SECURITY] Acunetix has free XSS scanner
Next by thread: [WEB SECURITY] Similarity between Banking Trojans and CSRF
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site