tag:blogger.com,1999:blog-13756280.post4705688974130145694..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Are web application scanners ***ing useless?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-13756280.post-52859850340963250772007-07-27T15:57:00.000-07:002007-07-27T15:57:00.000-07:00Too add to this -- I know of one piece of producti...Too add to this -- I know of one piece of production software with *three* different types of ways of handling tags that are vulnerable to attribute-based XSS. SPI WebInspect, IBM Appscan, and Cenzic Hailstorm are all unable to identify these issues.<BR/><BR/>I'm sure they could. Some of it is not that hard, if you think about the problem properly. But the point here is: they don't.<BR/><BR/>We do a pretty good job at WhiteHat with making sure our Sentinel platform can detect these kinds of issues, but the most accruate tests for probability also generate a lot of noise (if say the software is substituting string-enquoting characters but not manipulating your match string).<BR/><BR/>It's taken a while to try some different approaches to refine a high level of accuracy, and actually requiring some conditional logic changes to our engine to really nail this down tight.<BR/><BR/>I'd be embarrassed if I had to defend the marketing claims about this stuff because most vendors are flat-out hype as opposed to substance.<BR/><BR/>I love it when people pop-out their technobafflegab and buzzword compliant speak, and you hear from all the scanner vendors about how their scanner "properly builds and interprets the DOM" and "new AJAX scanning" and "Web 2.0" and so on. Because while that is cool and all (and yes, we have a DOM-based parser too)...<BR/><BR/>You can beat almost any scanner at their game with some basic regex, by writing smarter tests. :) <BR/><BR/><BR/>Cheers<BR/><BR/>-aeAnonymousnoreply@blogger.com