As web applications stretch beyond borders they need to adopt strategies to work in multiple languages. Without the right tools or adequate knowledge of Unicode, a programmer will quickly descend into hysteria. The explanations in this post won’t leave you in euphoria, but, like the previous one, it should adrenalize your efforts to understand character […]
Category Archives: web scanner evaluation
OU[tf-]812
Music has a universal appeal uninhibited by language. A metal head in Istanbul, Tokyo, or Oslo instinctively knows the deep power chords of Black Sabbath — it takes maybe two beats to recognize a classic like “N.I.B.” or “Paranoid.” The same guitars that screamed the tapping mastery of Van Halen or led to the spandex […]
The Death of Web Scanners
I come here not to bury web application scanners, but to praise them.1 And then bury them a bit. Perhaps just up to the neck. On the beach. At low tide. Web application has historically been challenging, even in the early days of so-called simple web sites with low complexity and little JavaScript. Such simple […]
Click depth is a useless scanner option
When web site owners want to measure how their visitors get from point A (say, the home page) to point B (such as finalizing a purchase), they might use a metric called click depth or link depth. This represents the number of clicks required to get from link A to link B. Sites strive to […]
Login forms
Designing a web application scanner is easy. A good design requires a few sentences; a great design might need two paragraphs or so. It’s easy to find messages on e-mail lists that describe the One True Way to scan a web site. Implementing a scanner is hard. The core of a web vulnerability scanner performs […]
Ceci n’est pas une web site
Web scanner evaluations collect metrics by comparing scan results against a (typically far too small) field of test sites. One quick way to build the test field might be to collect intentionally vulnerable sites from the Web. That approach, though fast, does a disservice to the scanners and more importantly the real web applications that […]
Web Scanner Evaluation: Accuracy
This is the first in a series of essays describing suggested metrics for evaluating web application security scanners. Accuracy measures the scanner’s ability to detect vulnerabilities. The basic function of a web scanner is to use automation to identify the same, or most of the same, vulnerabilities as a web security auditor. Rather than focus […]
Observations on Larry Suto’s Paper about Web Application Security Scanners
Note: I’m the lead developer for the Web Application Scanning service at Qualys and I worked at NTO for about three years from July 2003 — both tools were included in this February 2010 report by Larry Suto. Never the less, I most humbly assure you that I am the world’s foremost authority on my opinion, […]
Web application scanning
An opinion piece covering all you ever wanted to know. Maybe not everything, but it provides a basis for the different challenges of automating web attacks. It might even sound familiar to a previous post…
Automating web application scans
Read a Q&A on some of the fundamental challenges of automating a web application scan. (I wrote the A, not the Q.)
