Just my $.02, I typically don't rely on VA scanners to test web sites/applications. IMHO its beyond the scope of the VA scanner outside of basic checks (web server version, php/asp/.net version, rudimentary checks like directory traversal, config checking, etc).
What I think you really need is something like SPI Dynamics, Firewatch, Cenzic Hailstorm, Acunetix, etc. that dig deep into the application and test for XSS, SQL injection, javascript issues, and the like. These apps do a LOT of digging and there's a lot going on so you can cripple a website if you're not careful. I've used Acunetix for a while and its pretty good 'bang for the buck' so to speak but you do get what you pay for. Its good for one-off testing but there's no enterprise management piece that some of the others have that integrate into Dev, QA, automated scanning, etc. Mileage may vary and you have to understand what's going on under the hood of the tool you choose, but check them all out to see what best fits what you're looking for. Thanks, John. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KaNam Sent: Tuesday, October 09, 2007 3:27 PM To: [email protected] Subject: Website scanning useless ?? Hey all, I was trying Nessus 3.0.6.1 Build W321 (and before that 3.0.3) to scan a particular website for scripting vulnerabilities (phpBB and stuff), and I found for this part, Nessus will give you a false sense of security (since it may or may not return results, but mostly NOT). Either I'm really stupid, because I can't get Nessus to scan on hostname, or Nessus developers aren't thinking clearly. Even though I input a hostname to scan, if you do a double check (packet capture on either side), you will see Nesses request pages on "host: resolved IP number". I see no settings on my Windows 2000 Server installation to change this. Obviously, host: IP number works on about 0.00000001% of the webpages, since most webserver host multiple websites and of course will not return files from the requested hostname unless it's the one and only site running on that server. So, is this my fault or have there been millions and millions of useless scanning going around ? Oh, I've tried the IP[hostname] thingy for both localhost and remote website scanning. On all occassions, Nessus is scanning with the host:IP header. Please note, I'm not asking Nessus to scan ALL vhosts, I'm just asking it to scan ONE host (be it local or remote), and I'm even giving the name ! Laterz, da Kimp. -- _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
