WebApp Throwdown!

WebApp Scanning Throwdown!

Starring: Nexpose Enterprise, Nessus 4.2 Professional Feed and Core Impact v10

The Victim: http://demo.testfire.net/ (Sorry IBM… not!)

Revised: 1/19/2010

Important Follow-up!

I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.

Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.

 I feel the most important conclusions that can be drawn from this comparison are:

  1. You can’t rely on one tool to find all your issues
  2. You need to make sure your tools are properly configured for maximum results
  3. No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely

The Puppetmasters New Clothes

In the Science Fiction novel “The Puppet Masters” by Robert A. Heinlein, alien creatures with the ability to connect to humans nervous systems invade the Earth. This novel was made into a terrible, horrible movie so if you have seen the movie but not read the book, please go read the book. And burn any copies of the movie you can get to.

But back to the book. It’s a pretty typical “alien possession” novel by current standards, but it was actually a significant publication in 1951. The aliens themselves are relatively small things with limited mobility (they are dubbed slugs), but can attach themselves to a victims neck and hang down the back. The “slug” can then control the human and tap into their memories, while remaining hidden under the clothing. As the novel progresses, the protagonists (Sam and Mary, who both work for a secret intelligence agency of the US) withdraw to the mountains. After being attacked by an alien slug, they return to the city to discover a law has been passed requiring full nudity.

The InfoSec Warrior’s Rant

(With apologies to Jack Nicholson and whoever originally crafted this gem.  –Jedi) “Son, we live in a world that has networks and those networks need to be guarded by men with balls and smarts. Who’s gonna do it? You? You sniveling admin? I have greater responsibility than you can possibly fathom. You can weep for your permissions and curse security; you have that luxury. You have the luxury of not knowing what I know: that your inconvenience, while tragic to you, probably saved exploitations and that my existence, while grotesque and incomprehensible to you, saves this network. You don’t want the truth because deep down in places you don’t talk about at staff meetings you want me on that firewall, you need me on that SIM. We use[…]

NessusWX Development

I’ve uploaded a text file giving detailed instructions on how to set-up a development environment under Windows for compiling the NessusWX client software. The document explains everything in excruciating detail and can be found in the files section. Have fun!