Re: Required Help on Automated Tools

I think Matt means rather to avoid full automation, and I agree with
that. Even manual testing might need some degree of automation at some
point; you just can't hping or url-type all your way through the tests
(there are situations that are time dependent and it would be
inefficient or even impossible to test them by manually crafting each
packet or application request).

But there is scripting, and manual testing involves a lot of scripting
to fine tune your tests and extend them in ways that predefined
automated tests within available tools can't. Of course you need to be
proficient in an appropriate scripting language and in the areas that
you are testing to make a difference. I don't think that anyone can be
good enough in all areas (network, O.S., Applications), even Web
application testing has some many technologies and architectures
involved that it is difficult to have someone proficient in every
aspect, so you need to have some diversity within your pentest team.

Just some thoughts,

Omar Herrera

Dharmendra T escribió:
Dear matt,

Can you give few points as to why we should not automate the
assessments or testing? Don't you think the automation helps you in so
many ways, one of the best I could think of is "it will be faster
compared to manual"??

Regards,
Dharmendra T.

Matt - MRS Security wrote:
Vin Oxious wrote:
Hello Everyone,

Greetings !! ..Can you please list me
some tools that would allow automated testing of the below ... (
while I have already got a few tools .. just wanted to know if there
are some good ones ) ..

SQL Injection -

XSS -

Improper Session Management -

URL Access -

Direct Object Reference -


regards,
Noxious

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Please, please, please, please, please dont automate this kind of
testing and then based upon the results give the customer a pass if
nothing found.

I never ever advise automated application assessments to anyone. I
personally from the outset at the most automate the spidering of the
site and then manually audit it.

Improper session management can really only be assessed manually by
looking at the cookie or any session data passed as part of the URL.

There are a number of issues that automated tools will never discover.

Sorry to beat home this fact but at the most automated tools should
be run at the end of the test to verify your results.

I know personally of a PCI ASV that i competed against during some
work and they used automated scanning, they passed the merchant and i
found SQL injection (XP_CMDSHELL level), XSS, CSRF, weak session
management, data passed in the clear to name a few.

More than likely this email is going to cause an argument, but please
do not automate testing from the outset. Use it to verify your results.

Thanks

Matt.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Relevant Pages

  • Re: Required Help on Automated Tools
    ... missing some attack vectors that an automated tools may not exploit (such as ... PCI DSS assessment is a very good example for all sorts of applications as all they do is try to enforce good practice. ... Security Trends Report from Cenzic ... Please, please, please, please, please dont automate this kind of testing and then based upon the results give the customer a pass if nothing found. ...
    (Pen-Test)
  • Re: Required Help on Automated Tools
    ... Security Trends Report from Cenzic ... Stay Ahead of the Hacker Curve! ... Please, please, please, please, please dont automate this kind of testing and then based upon the results give the customer a pass if nothing found. ...
    (Pen-Test)
  • RE: Required Help on Automated Tools
    ... The problem with relying *only* on automated tools is that you may be ... Can you give few points as to why we should not automate the assessments ... Security Trends Report from Cenzic ...
    (Pen-Test)
  • Re: Required Help on Automated Tools
    ... Security Trends Report from Cenzic ... Please, please, please, please, please dont automate this kind of testing and then based upon the results give the customer a pass if nothing found. ... I never ever advise automated application assessments to anyone. ... Improper session management can really only be assessed manually by looking at the cookie or any session data passed as part of the URL. ...
    (Pen-Test)
  • RE: My Frustrations
    ... If you are not an intended recipient you ... Security Trends Report from Cenzic ... Stay Ahead of the Hacker Curve! ...
    (Pen-Test)
Quantcast