By Romain Monday, November 12 2007 - 14:46 UTC - Discussion
- Permalink
Talking about web application security scanners
, we all have the same problem: False Positive. It's a fact that cannot exactly be solve by the testing methodology itself (since it relies on pattern detection).
So, the idea I started talking about on #webappsec today is a common format for exchanging information between tools.
Ideally, this would work like this:
- Tool A is scanning a website.
- It exports some information a given format: out-tool-a.xml
- Tool B is able to understand out-tool-a.xml and take this as an input
- Tool B would then be able to verify the results/false-positive of Tool A by scanning with the information in the out-tool-a.xml
I really think that would be helpful somehow, at least for open-source tools.
I'm gonna try to implement this for the next release of Grabber.
Comments
It seems to be a good idea, but there are some things that you should have in mind before being able to tell from tool B that tool A has a false positive:
- Did tool A actually analyzed the URL ?
- Was tool A configured to search for that type of vulnerability on that parameter ?
Also, let's suppose that you can share this 3 xml files among 3 different tools, A, B, C. If C finds a vuln and A and B don't, what's the final result ? C has more knowledge in it to find this type of vuln, or C has a false positive ?
I think that the best way to do this is:
- run all the programs you have against a target site
- analyze all findings manually and discard false positives
These are good question that we have to discuss about :) Actually, we are a couple looking into the direction of interoperability between web apps security tools (not only scanners) and we would like to start a new WASC project about that.
The problem with a format such as I described is that I didn't talk about a really important information given by the tool: the couple (severity, probability). In smart tools, you can have a probability of assurance of a true-positive, this would also deal with that.
For sure, the idea is not to avoid manual probing of false-positive, but just trying to combine tools in a good way (if it's possible).
Hi,
Wasn't AVDL sort of what you are describing? anyway, it completely crashed and burned. Maybe a new type of standard would be a good idea.
For what I explained here, you're absolutely right. AVDL/VulnXML/OASIS WAS are basically the same thing. But what we are interesting in is going further by communicating with different types of tools (WAF, Security Scanners, etc.) and passing different type of information such as security policy, scanners results to generate rules, and so on...