[Webappsec] [WEB SECURITY] Re: Tacking A Difficult Problem - Solutions

[Bubba Gump]

Ory,
The scanner that I'm using is not flagging duplicates for the Cross Site
Scripting issues it identified.  Every issue in the scan results is
involving a unique page/parameter combination and is a valid, repeatable
issue.  It works pretty much like what you have described in your note.

- Bubba

On 4/25/07, Ory Segal <osegal at watchfire.com> wrote:
>
>  Hi Arian,
>
> First of all, thanks :-)
>
> Just to set things straight - your example of different verbs (or
> different schemes) == different vulnerabilities is incorrect (at least in
> AppScan).
>
> AppScan works by using the original (valid) request that was collected
> during the explore phase, and manipulating each parameter. So, unless the
> same request was actually sent using both GET+POST and HTTP+HTTPS, you will
> only see the vulnerability flagged once for each parameter.
>
> Sure, the links  *http*://www.some.site/index.php?name=value<http://www.some.site/index.php?name=value>and
> *https*://www.some.site/index.php?name=value<https://www.some.site/index.php?name=value> might
> point to the exact same index.php script and to the same 'name' parameter,
> but then again, they might not, and IMHO most pen testers would rather get
> some redundant results rather than a False Negative, no?
>
> I agree that this is not the case with GET/POST which obviously point to
> the exact same script- but as I've mentioned, that's not how AppScan does
> things. AppScan will only generate this kind of duplicate, if there were
> actually two different valid requests using two different verbs (during the
> explore phase)- and that's because AppScan tries to keep the integrity of
> the data collected during the explore phase, and not to mess requests up for
> no reason.
>
> -Ory
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.owasp.org/pipermail/webappsec/attachments/20070425/54a157a4/attachment.html