RE: Spi's products worth a try? Or any suggestions for developers' tool?

From: Ory Segal (osegal@watchfire.com)
Date: Thu Nov 10 2005 - 02:56:41 EST

• Next message: Matthias Vallentin: "Re: network informations brought by cdp"
• Previous message: Ivan .: "Re: network informations brought by cdp"
• Maybe in reply to: Aman Raheja: "Spi's products worth a try? Or any suggestions for developers' tool?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

Just to clarify things -

AppScan parses JavaScripts to extract links in all web pages (if
configured to do so), but this has nothing to do with what Thomas
mentioned.

Thomas was referring to a check that AppScan performs, for pages, which
use "document.write" in order to generate HTML on the client side.

Thank you,
-Ory Segal,
Watchfire

-----Original Message-----
From: Thomas Ryan [mailto:tryan@siegeworksint.com]
Sent: Wednesday, November 09, 2005 9:25 AM
To: webappsec@securityfocus.com
Cc: 'Aman Raheja'; pen-test@securityfocus.com; caseytay@nets.com.sg
Subject: RE: Spi's products worth a try? Or any suggestions for
developers' tool?

Over the past 2 months I have been analyzing AppScan, HailStorm,
NTOSpider, WebInspect for a paper to be released within a few weeks. All
4 scanners have some type of support for JavaScript, But one really
stood out and caught my attention. That would be NTOSpider 2.0
(www.ntobjectives.com) By far it has the best JavaScript analysis engine
and is lightning fast.

SPI does choke up when testing a JavaScript intensive website, but most
testers overcome this issue by using SPIProxy to test JavaScript
intensive websites.

AppScan reports all document.write as Highly Suspicious and requires
further analysis from the tester.

HailStorm is testing a JavaScript intensive site as we speak. I will
have more feedback tomorrow.

All 4 scanners have said they will support AJAX in the next 6
months.....all we need is some AJAX sites to test.

Thomas Ryan
Senior Security Consultant
SiegeWorks International

-----Original Message-----
From: caseytay@nets.com.sg [mailto:caseytay@nets.com.sg]
Sent: Tuesday, November 08, 2005 5:47 PM
To: Cory Stoker
Cc: Aman Raheja; pen-test@securityfocus.com; davidlim@nets.com.sg
Subject: Re: Spi's products worth a try? Or any suggestions for
developers'
tool?

Hi Cory,

This is regarding ur statement abt SPI webinspect. u mentioned:

"Also if
your site utilizes Javascript heavily, SPI will have a tougher time
crawling your site and analyzing it. If a site has Javascript you
would manually crawl the site first then analyze the pages crawled."

my Ques:
1) why would Webinspect have a tough time crawling sites with
Javascripts?
2) why do u advise that the pentester 1st do a manual walkthru scan,
then
analyse from there onwards, instead of doing a Auto scan 1st?

Regards,
Casey

             Cory Stoker

             <cory@clearnetsec

             .com>
To
                                       Aman Raheja

             11/08/2005 03:56 <araheja@techquotes.com>,

             AM pen-test@securityfocus.com

 
cc
 

 
Subject
                                       Re: Spi's products worth a try?
Or
                                       any suggestions for developers'

                                       tool?

I have used SPI Web inspect and it is a pretty good tool. It is not
a run and forget tool but it is valuable in a web assessment. Mostly
it is a time saver as it does many tests automatically so you do not
have to write scripts for the repetitive tasks. One thing that rocks
is the SPI toolkit option for Web Inspect as it is a framework for
manual testing that is pretty comprehensive. However the licensing
scheme for Web Inspect is very restrictive and expensive for a tool
of this nature IMHO. For example the cheaper licenses restrict you
to a single IP but the site wide license is very pricey. Also if
your site utilizes Javascript heavily, SPI will have a tougher time
crawling your site and analyzing it. If a site has Javascript you
would manually crawl the site first then analyze the pages crawled.

---
Cory Stoker
ClearNet Security
On Nov 3, 2005, at 11:55 PM, Aman Raheja wrote:
> Hello
> Anyone has any experience with Spi's tools for web application
> vulnerability scanning?
> http://www.spidynamics.com/products/index.html
> I need to suggest developers' tool so that they can self assess
> their application and reduce the overhead of the testing team.
> Any advice?
> Thanks in advance.
> Regards
> Aman Raheja
>
> http://www.techquotes.com
>
>
> ----------------------------------------------------------------------
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
> Hackers are concentrating their efforts on attacking applications
> on your website. Up to 75% of cyber attacks are launched on
> shopping carts, forms, login pages, dynamic content etc. Firewalls,
> SSL and locked-down servers are futile against web application
> hacking. Check your website for vulnerabilities to SQL injection,
> Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>
>
------------------------------------------------------------------------
----
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers
do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
----
---
************************************************************************
***
            IMPORTANT NOTICE:
This email and any files transmitted with it is intended only for
the use of the person(s) to whom it is addressed, and may
contain information that is privileged, confidential and exempt
from disclosure under applicable law. If you are not the intended
recipient, please immediately notify the sender and delete
the email. Thank you.
************************************************************************
***
Casey Tay Kian Chuan
Data Security Analyst
Data Security
DID :   65-6374-0653
TEL :   65-6272-0533
FAX :   65-6275-7712
Network For Electronic Transfers (S) Pte Ltd
298 Tiong Bahru Road
#04-01/06 Central Plaza
Singapore 168730
http://www.nets.com.sg
************************************************************************
****
****
IMPORTANT NOTICE:  This email and any files transmitted with  it is
intended only for  the use of the person(s) to whom it is addressed,
and
may  contain information that is privileged, confidential and exempt
from
disclosure under applicable law. If you are not the intended recipient,
please immediately notify the sender and delete  the email. Thank you.
************************************************************************
****
****
------------------------------------------------------------------------
----
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on
your 
website. Up to 75% of cyber attacks are launched on shopping carts,
forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before
hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
----
---
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on
your 
website. Up to 75% of cyber attacks are launched on shopping carts,
forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are 
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before
hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Matthias Vallentin: "Re: network informations brought by cdp"
• Previous message: Ivan .: "Re: network informations brought by cdp"
• Maybe in reply to: Aman Raheja: "Spi's products worth a try? Or any suggestions for developers' tool?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:09 EDT