On Thu, Oct 16, 2008 at 03:06:36PM -0400, Aviram Jenik wrote: > I wanted to request that you treat someone who has been on this list for > close > to 10 years now with a little more respect. But since that ship has sailed, I > will instead let you know that I will plug my services any way and any time > that I wish. > > Save your preaches for the clueless newbies (like the one who told Amos > nessus > checks for SQL injection or the other that told Amos "micro deposit" thefts > were the problem he should be worried about. Yeah, right). Or if you've got > nothing really intelligent to say, just shut up.
Hey Aviram, Glad to know that your automated scanner catches all those pesky business logic vulns, or are those not something Amos needs to be concerned with? Nessus actually does have some primitive SQLi checks (Nessus ID #11139), though I have yet to see an automated scanner, including yours, that finds all (or even most) blind SQL injection vulns. The truth is automated scanning is good at catching the low hanging fruit. It can be a useful tool when used in conjunction with proper manual testing. However, it would be naive to believe that an application is free from high risk vulns just because it passed some automated scan. I think you know as well as I do the limits in writing generic plugins that are successful in identifying a specific vuln in a custom app 100 percent of the time. For example, how many automated scanners can identify insufficient access control vulns where by rotating a number in the request, you can access arbitrary client information? An automated scanner has no way of knowing the meaning of the 'clientID' parameter, or whatever arbitrary name the developers gave it. -- - Josh ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
