tag:blogger.com,1999:blog-13756280.post1068102861549605765..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Automated Scanners vs. Low-Hanging FruitJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-13756280.post-85191916079777348232007-03-02T13:41:00.000-08:002007-03-02T13:41:00.000-08:00Anonymous, thats the point, I don't know of any. :...Anonymous, thats the point, I don't know of any. :)<BR/><BR/>ray, thanks for the comment. I see what your saying, but the definition I gave for LHF was "vulnerabilities that are easy to find and exploit." I make no distinction for "how" they are found since it really doesn't matter. If you can push "go" and out pops vulns, that's easy enough for me. Your right though, everyting about a scanner should be designed to reduce the time it takes to complete an assessment. The problem is not everyone think the current products are doing that. Also, I don't think scanners are actually improving or keeping pace with with website technology, but thats a subject for a future blog post. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-39047943881950647542007-02-27T06:18:00.000-08:002007-02-27T06:18:00.000-08:00While you make a couple good points I think such a...While you make a couple good points I think such a broad statement as "And, any vulnerability identifiable through a purely automated fashion (a scanner) can be classified as LHF – since anyone without much skill may buy/download a scanner, find a few technical vulnerabilities, and begin exploiting websites." is to harsh of an assessment. Automated scanners very often these days do find "Golden Apple" vulnerabilities. The scanners are improving and getting smarter every day. The important thing to take away from this is that automated scanners are tools, not replacements for experienced pen testers or security professionals. Scanners GREATLY reduce the time needed for manual assessments and can often find critical “Golden Apple” vulnerabilities (such as blind SQL injection, which automated scanners do find and with a high confidence level :)).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-33322140109054790342007-02-27T00:04:00.000-08:002007-02-27T00:04:00.000-08:00Can you show me the xss bug of sla.ckers ?Can you show me the xss bug of sla.ckers ?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76904740151685560572007-02-21T14:46:00.000-08:002007-02-21T14:46:00.000-08:00I think that vuln belong to Lijit Networks though,...I think that vuln belong to Lijit Networks though, not to Security Bloggers Network banner or Feedburner.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43902630678392347462007-02-21T14:43:00.000-08:002007-02-21T14:43:00.000-08:00hehe, nice!hehe, nice!Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19607883693012878152007-02-21T14:31:00.000-08:002007-02-21T14:31:00.000-08:00LHF:http://preview.tinyurl.com/yprqvqLHF:<BR/><BR/>http://preview.tinyurl.com/yprqvqUnknownhttps://www.blogger.com/profile/14330403433290118511noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-91023572609767803982007-02-21T12:39:00.000-08:002007-02-21T12:39:00.000-08:00Nice to see sla.ckers.org in the same sentence as ...Nice to see sla.ckers.org in the same sentence as those other big sites huh. :)<BR/><BR/>Show me the XSS!Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-75358654321600847102007-02-21T12:28:00.000-08:002007-02-21T12:28:00.000-08:00btw, there an xss in the 'Search FBN-Security Blog...btw, there an xss in the 'Search FBN-Security Bloggers Network' banner.<BR/><BR/>greetings,<BR/>.marioUnknownhttps://www.blogger.com/profile/14330403433290118511noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46000436868003544902007-02-21T12:22:00.000-08:002007-02-21T12:22:00.000-08:00sla.ckers.org? wow!sla.ckers.org? wow!Unknownhttps://www.blogger.com/profile/14330403433290118511noreply@blogger.com