RE: Spi's products worth a try? Or any suggestions for developers' tool?

From: Thomas Ryan (tryan_at_siegeworksint.com)
Date: 11/09/05

  • Next message: Kurt Seifried: "Re: sugget a small pentest distro"
    To: <webappsec@securityfocus.com>
    Date: Tue, 8 Nov 2005 23:25:13 -0800
    
    

    Over the past 2 months I have been analyzing AppScan, HailStorm, NTOSpider,
    WebInspect for a paper to be released within a few weeks. All 4 scanners
    have some type of support for JavaScript, But one really stood out and
    caught my attention. That would be NTOSpider 2.0 (www.ntobjectives.com)
    By far it has the best JavaScript analysis engine and is lightning fast.

    SPI does choke up when testing a JavaScript intensive website, but most
    testers overcome this issue by using SPIProxy to test JavaScript intensive
    websites.

    AppScan reports all document.write as Highly Suspicious and requires further
    analysis from the tester.

    HailStorm is testing a JavaScript intensive site as we speak. I will have
    more feedback tomorrow.

    All 4 scanners have said they will support AJAX in the next 6 months.....all
    we need is some AJAX sites to test.

    Thomas Ryan
    Senior Security Consultant
    SiegeWorks International

    -----Original Message-----
    From: caseytay@nets.com.sg [mailto:caseytay@nets.com.sg]
    Sent: Tuesday, November 08, 2005 5:47 PM
    To: Cory Stoker
    Cc: Aman Raheja; pen-test@securityfocus.com; davidlim@nets.com.sg
    Subject: Re: Spi's products worth a try? Or any suggestions for developers'
    tool?

    Hi Cory,

    This is regarding ur statement abt SPI webinspect. u mentioned:

    "Also if
    your site utilizes Javascript heavily, SPI will have a tougher time
    crawling your site and analyzing it. If a site has Javascript you
    would manually crawl the site first then analyze the pages crawled."

    my Ques:
    1) why would Webinspect have a tough time crawling sites with Javascripts?
    2) why do u advise that the pentester 1st do a manual walkthru scan, then
    analyse from there onwards, instead of doing a Auto scan 1st?

    Regards,
    Casey

                                                                               
                 Cory Stoker
                 <cory@clearnetsec
                 .com> To
                                           Aman Raheja
                 11/08/2005 03:56 <araheja@techquotes.com>,
                 AM pen-test@securityfocus.com
                                                                            cc
                                                                               
                                                                       Subject
                                           Re: Spi's products worth a try? Or
                                           any suggestions for developers'
                                           tool?
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               
                                                                               

    I have used SPI Web inspect and it is a pretty good tool. It is not
    a run and forget tool but it is valuable in a web assessment. Mostly
    it is a time saver as it does many tests automatically so you do not
    have to write scripts for the repetitive tasks. One thing that rocks
    is the SPI toolkit option for Web Inspect as it is a framework for
    manual testing that is pretty comprehensive. However the licensing
    scheme for Web Inspect is very restrictive and expensive for a tool
    of this nature IMHO. For example the cheaper licenses restrict you
    to a single IP but the site wide license is very pricey. Also if
    your site utilizes Javascript heavily, SPI will have a tougher time
    crawling your site and analyzing it. If a site has Javascript you
    would manually crawl the site first then analyze the pages crawled.

    ---
    Cory Stoker
    ClearNet Security
    On Nov 3, 2005, at 11:55 PM, Aman Raheja wrote:
    > Hello
    > Anyone has any experience with Spi's tools for web application
    > vulnerability scanning?
    > http://www.spidynamics.com/products/index.html
    > I need to suggest developers' tool so that they can self assess
    > their application and reduce the overhead of the testing team.
    > Any advice?
    > Thanks in advance.
    > Regards
    > Aman Raheja
    >
    > http://www.techquotes.com
    >
    >
    > ----------------------------------------------------------------------
    > --------
    > Audit your website security with Acunetix Web Vulnerability Scanner:
    > Hackers are concentrating their efforts on attacking applications
    > on your website. Up to 75% of cyber attacks are launched on
    > shopping carts, forms, login pages, dynamic content etc. Firewalls,
    > SSL and locked-down servers are futile against web application
    > hacking. Check your website for vulnerabilities to SQL injection,
    > Cross site scripting and other web attacks before hackers do!
    > Download Trial at:
    >
    > http://www.securityfocus.com/sponsor/pen-test_050831
    > ----------------------------------------------------------------------
    > ---------
    >
    >
    ----------------------------------------------------------------------------
    --
    Audit your website security with Acunetix Web Vulnerability Scanner:
    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers
    are
    futile against web application hacking. Check your website for
    vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers
    do!
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    ----------------------------------------------------------------------------
    ---
    ***************************************************************************
                IMPORTANT NOTICE:
    This email and any files transmitted with it is intended only for
    the use of the person(s) to whom it is addressed, and may
    contain information that is privileged, confidential and exempt
    from disclosure under applicable law. If you are not the intended
    recipient, please immediately notify the sender and delete
    the email. Thank you.
    ***************************************************************************
    Casey Tay Kian Chuan
    Data Security Analyst
    Data Security
    DID :   65-6374-0653
    TEL :   65-6272-0533
    FAX :   65-6275-7712
    Network For Electronic Transfers (S) Pte Ltd
    298 Tiong Bahru Road
    #04-01/06 Central Plaza
    Singapore 168730
    http://www.nets.com.sg
    ****************************************************************************
    ****
    IMPORTANT NOTICE:  This email and any files transmitted with  it is
    intended only for  the use of the person(s) to whom it is addressed,  and
    may  contain information that is privileged, confidential and exempt from
    disclosure under applicable law. If you are not the intended recipient,
    please immediately notify the sender and delete  the email. Thank you.
    ****************************************************************************
    ****
    ----------------------------------------------------------------------------
    --
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on your 
    website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for
    vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before hackers
    do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    ----------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on your 
    website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
    futile against web application hacking. Check your website for vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------
    

  • Next message: Kurt Seifried: "Re: sugget a small pentest distro"

    Relevant Pages

    • RE: Spis products worth a try? Or any suggestions for developers tool?
      ... By far it has the best JavaScript analysis engine ... SPI does choke up when testing a JavaScript intensive website, ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on ...
      (Pen-Test)
    • RE: Pre-Scanning for Marketing
      ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: Experiences with company nCircle and their IP360 product
      ... since I installed it for myself I have helped to install it at ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: 3rd party vuln assesment firms
      ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • Re: Spis products worth a try? Or any suggestions for developers tool?
      ... your site utilizes Javascript heavily, SPI will have a tougher time ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on ...
      (Pen-Test)