[Dailydave] Web Scanning

Dave Aitel dave at immunityinc.com
Fri Sep 25 14:46:10 EDT 2015

Yahoo released a  horizontally scalable web scanner today
<https://github.com/yahoo/gryffin>, written in GoLang. It's worth a look.

I think there are strategic cyber security lessons to be learned from
Yahoo releasing a free horizontally scalable web scanner and that's what
this mailing list is about so let's delve.

Let's look at history. Back in the day you would hire someone to do a
web assessment, and they would get WebInspect or AppScan and scan your
site, and then they'd poke around on it a little bit with an in-line
proxy, and write you a report. Scanning a site with WebInspect took time
- maybe each consultant on a team would be doing three scans at once.
But the reports invariably would say things like "Hey, we noticed you
did all your authentication on the client side. That's cool, but maybe
let's try it on the server next time?"

This is where mobile apps are now. They fail to realize that people can
mess with variables and so they are making all the mistakes people made
on web apps in 2002. Tooling for security for them is terrible too,
which is something we have a video coming out on soon. (Foreshadowing! I
does it!)

WebInspect and AppScan got absorbed by giant development chain companies
(IBM and HP) and are now "inline" with your whole development process
and this is of course because white box testing is a hell of a lot
easier than black box testing. But application penetration testing split
invisibly and we forgot to tell anyone. One aspect of it is the deep
look by a real hacker - typically a white-box approach. And in those
cases, you get cryptographic bugs, insane timing bugs, logic bugs, XSRF
bugs, and external entity bugs. SQL Injection and XSS are a side-note.
And of course on the other hand there is Lulzsec-style: We scanned your
box and five thousand other boxes with Hajiv and found an SQLi and a
file traversal and actually hacked you.

Hajiv and sqlmap (and WebInspect and AppScan) don't scale but to solve
that problem are the giant scanning farms and until yesterday they were
all close-hold:

 1. WhiteHat
 2. Veracode
 3. Qualys
 4. Tenable
 5. WebSiege (Immunity)
 6. Gryffon (Yahoo)
 7. PunkSpider
 8. Google's XSS Scanner (only available for scanning your AppEngine apps)

Are there others? And by others I mean ones that can handle "I have
100000 web applications to scan."

The concept I think we keyed in on a long time ago is that the surface
had changed. Much as anybody can run a full on Internet-scan for a port,
they can also map your whole web application and the important thing is,
they already have. At some level the "Lulzsec" problem was because
companies didn't want to face the reality that their defensive surface
had expanded like a 24/7 cable news channel all about little Bobby
Tables. And the answer, of course, is partially continuous monitoring,
and partially out-sourced vulnerability validation (bug bounties).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150925/55b13360/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150925/55b13360/attachment.sig>

More information about the Dailydave mailing list