Web Scanners For The Win... presented at Ruxcon 2010

by Louis Nyffenegger,

Tags: Web Monitoring

URL : http://www.ruxcon.org.au/presentations/#wib

Summary : More and more organisations think an automatic web scanner can replace pentesters. Even if it may be true in some cases, I will demonstrate that most web scanners don't do a decent job and cannot be used to ensure that a website is secure.

Most arguments against web scanners are based on the fact that these scanners cannot understand the business logic behind applications however, we will see that scanners are not even able to properly find vulnerabilities like SQL injections or command injection vulnerabilities.

Based on commercial and open source tools, this presentation will take some examples of web vulnerabilities and go through each scanners results for good lulz.

Louis Nyffenegger: Snyff is a French security consultant working in Melbourne. He specialises in web security and tries not to waste his time on mouse-over-click-jacking or any other ridiculous web vulnerabilities. He also enjoys playing with commercial web scanners and lolling at how shit they are. His hobbies include drinking Fat Yak, mirc32.exe, yelling at strangers and wearing Speedos.