Re: Required Help on Automated Tools

Vin Oxious wrote:
Hello Everyone,

Greetings !! ..Can you please list me
some tools that would allow automated testing of the below ... (
while I have already got a few tools .. just wanted to know if there
are some good ones ) ..

SQL Injection -

XSS -

Improper Session Management -

URL Access -

Direct Object Reference -


regards,
Noxious

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Please, please, please, please, please dont automate this kind of testing and then based upon the results give the customer a pass if nothing found.

I never ever advise automated application assessments to anyone. I personally from the outset at the most automate the spidering of the site and then manually audit it.

Improper session management can really only be assessed manually by looking at the cookie or any session data passed as part of the URL.

There are a number of issues that automated tools will never discover.

Sorry to beat home this fact but at the most automated tools should be run at the end of the test to verify your results.

I know personally of a PCI ASV that i competed against during some work and they used automated scanning, they passed the merchant and i found SQL injection (XP_CMDSHELL level), XSS, CSRF, weak session management, data passed in the clear to name a few.

More than likely this email is going to cause an argument, but please do not automate testing from the outset. Use it to verify your results.

Thanks

Matt.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Relevant Pages

  • Re: What is a "codetester?"
    ... Automated testing sucks. ... Great tit - The Royal Society for the Protection of Birds ... Okay, so if there's a bug, lives could be at stake. ... The point you can automate any click-path thru a web site. ...
    (comp.programming)
  • Re: Required Help on Automated Tools
    ... Security Trends Report from Cenzic ... Please, please, please, please, please dont automate this kind of testing and then based upon the results give the customer a pass if nothing found. ... I never ever advise automated application assessments to anyone. ... Improper session management can really only be assessed manually by looking at the cookie or any session data passed as part of the URL. ...
    (Pen-Test)
  • Re: Software testing
    ... Still not sure what you want to automate. ... Do you want to compare calculations from your database ... robot") that allow you to built scripts to do automated testing. ...
    (microsoft.public.access.modulesdaovba)
  • Re: Reason(s) to Automate....
    ... We automate when ... to electric shock or radioactivity. ... Most automated testing falls into ... Please dont hijack the main topic Let us focus on the topic of ...
    (comp.software.testing)
  • Re: Required Help on Automated Tools
    ... missing some attack vectors that an automated tools may not exploit (such as ... PCI DSS assessment is a very good example for all sorts of applications as all they do is try to enforce good practice. ... Security Trends Report from Cenzic ... Please, please, please, please, please dont automate this kind of testing and then based upon the results give the customer a pass if nothing found. ...
    (Pen-Test)
Quantcast