Suggestions for improvement
14 views
Skip to first unread message
Frank
Aug 23, 2011, 5:30:27 PM8/23/11
to Websecurify
Hi,
I wrote my master's thesis on penetration testing tools/vulnerability
scanners and I noticed some problems with Websecurify (version 0.8)
that cause false positives and false negatives. Unfortunately, I don't
have the time to fix these myself, or I would have sent a patch.
- only one input is used at a time, while in some cases (e.g. password
and repeat password) it is required that both fields contain the same
value, because only one input is used Websecurify will miss an SQL
injection if the password is inserted into the database unvalidated
- some sites place the content of headers like Referrer and User-agent
on a page, this behavior is vulnerable to XSS that is not detected by
Websecurify
- when the content of an input is used in a link (e.g. <a
href="index.php?page=<script>alert('XSS');</script>...) or as value in
a text field (e.g. <input type="text" value="<script>alert('XSS');</
script>...) this is detected as an XSS vulnerability while it is in
fact harmless, it should be checked where the content of the input is
and if it is parsed by the browser
- related to the above suggestion, if the input is preceded by "> any
HTML-tag the input may be present in will be closed, "ensuring" the
text does not appear in a tag and is thus parsed by the browser (it
should still be checked if the text is in a tag, because if the web
application escapes or removes quotes, or replaces them by HTML
entities this does not work).
- Websecurify does not recognize "Unexpected end of command in
statement" as an error message from a certain SQL server (I'm not sure
which one exactly, but there is a java SQL server that can be used
with the Tomcat webserver (WebGoat uses this)) that indicates an SQL
injection is possible
Regards,
Frank
I wrote my master's thesis on penetration testing tools/vulnerability
scanners and I noticed some problems with Websecurify (version 0.8)
that cause false positives and false negatives. Unfortunately, I don't
have the time to fix these myself, or I would have sent a patch.
- only one input is used at a time, while in some cases (e.g. password
and repeat password) it is required that both fields contain the same
value, because only one input is used Websecurify will miss an SQL
injection if the password is inserted into the database unvalidated
- some sites place the content of headers like Referrer and User-agent
on a page, this behavior is vulnerable to XSS that is not detected by
Websecurify
- when the content of an input is used in a link (e.g. <a
href="index.php?page=<script>alert('XSS');</script>...) or as value in
a text field (e.g. <input type="text" value="<script>alert('XSS');</
script>...) this is detected as an XSS vulnerability while it is in
fact harmless, it should be checked where the content of the input is
and if it is parsed by the browser
- related to the above suggestion, if the input is preceded by "> any
HTML-tag the input may be present in will be closed, "ensuring" the
text does not appear in a tag and is thus parsed by the browser (it
should still be checked if the text is in a tag, because if the web
application escapes or removes quotes, or replaces them by HTML
entities this does not work).
- Websecurify does not recognize "Unexpected end of command in
statement" as an error message from a certain SQL server (I'm not sure
which one exactly, but there is a java SQL server that can be used
with the Tomcat webserver (WebGoat uses this)) that indicates an SQL
injection is possible
Regards,
Frank
pdp
Sep 7, 2011, 4:08:46 PM9/7/11
to Websecurify
Thanks Frank,
Indeed, there is still room for improvement. Most of your suggestions
are already implemented and functional in 0.9 (should be available for
download soon). Although the new engine allows us to do all kinds of
fuzzing, we simply do not expose all features by default. If we decide
to turn-on all features that would mean that you will have to deal
with very, very, very long tests which may not turn out to be very
fruitful at the end. We also want to make sure that our users enjoy a
simple and intuitive user interface. Unfortunately, we cannot satisfy
everybody and this is why we are working on several extensions and
additional products which will give that extra edge to professional
users like yourself.
Thanks for suggestions again.
Please let us know if you find more problems, specifically with the
0.9 alphas and betas.
Thanks,
pdp
Indeed, there is still room for improvement. Most of your suggestions
are already implemented and functional in 0.9 (should be available for
download soon). Although the new engine allows us to do all kinds of
fuzzing, we simply do not expose all features by default. If we decide
to turn-on all features that would mean that you will have to deal
with very, very, very long tests which may not turn out to be very
fruitful at the end. We also want to make sure that our users enjoy a
simple and intuitive user interface. Unfortunately, we cannot satisfy
everybody and this is why we are working on several extensions and
additional products which will give that extra edge to professional
users like yourself.
Thanks for suggestions again.
Please let us know if you find more problems, specifically with the
0.9 alphas and betas.
Thanks,
pdp
Reply all
Reply to author
Forward
0 new messages