[Webappsec] [WEB SECURITY] Re: Tacking A Difficult Problem - Solutions
bubbagump123 at gmail.com
Wed Apr 25 18:18:26 EDT 2007
The scanner that I'm using is not flagging duplicates for the Cross Site
Scripting issues it identified. Every issue in the scan results is
involving a unique page/parameter combination and is a valid, repeatable
issue. It works pretty much like what you have described in your note.
On 4/25/07, Ory Segal <osegal at watchfire.com> wrote:
> Hi Arian,
> First of all, thanks :-)
> Just to set things straight - your example of different verbs (or
> different schemes) == different vulnerabilities is incorrect (at least in
> AppScan works by using the original (valid) request that was collected
> during the explore phase, and manipulating each parameter. So, unless the
> same request was actually sent using both GET+POST and HTTP+HTTPS, you will
> only see the vulnerability flagged once for each parameter.
> Sure, the links *http*://www.some.site/index.php?name=value<http://www.some.site/index.php?name=value>and
> *https*://www.some.site/index.php?name=value<https://www.some.site/index.php?name=value> might
> point to the exact same index.php script and to the same 'name' parameter,
> but then again, they might not, and IMHO most pen testers would rather get
> some redundant results rather than a False Negative, no?
> I agree that this is not the case with GET/POST which obviously point to
> the exact same script- but as I've mentioned, that's not how AppScan does
> things. AppScan will only generate this kind of duplicate, if there were
> actually two different valid requests using two different verbs (during the
> explore phase)- and that's because AppScan tries to keep the integrity of
> the data collected during the explore phase, and not to mess requests up for
> no reason.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Webappsec