follow-up on web app scanners (technical vs logical vulnerabilities)
Jeremiah Grossman wrote an article titled: "Technology alone cannot defeat Web application attacks: Understanding technical vs. logical vulnerabilities" (requires registration). I pulled a couple sections out which explain why automated scanners can not find 'logical' vulnerabilities (hence, capture < 50% of the potential vulnerabilities present):
[...]
"This has made the automated process of finding simple vulnerabilities hard -- and finding difficult ones impossible.
Consider the following example. If we visit a Web site and are presented with the following URL:
http://example/order.asp?item=50&price=300.00Can we guess what the application order.asp combined with the parameters item and price do? Using intelligence unique to humans, we can quickly deduce their purpose with relative certainty. This is a product ordering application. The item parameter is the particular product we are interested in. In our case, let's say an iPod. The price parameter is the amount we are going to pay for our portable music player. What happens if we changed the price of 300.00 to 100.00? Or 1.00? Does the Web site still sell us the iPod? If so, we can easily understand that the Web site should not have allowed the price alteration. As humans, we possess a natural ability to assess context, and we aptly refer to these types of issues as "logical vulnerabilities," issues that only humans can identify.
Now, if an automated scanner attempted the very same attack in a generic fashion, how would it decide if a custom Web site's response was good or bad? How would it know if the attack worked or was adequately defended? Or what the item and price parameters were supposed to do in the first place? The answer is clear: Scanners cannot reliably make these assumptions."
[...]
"Scanners are great at tackling technical vulnerabilities such as cross-site scripting and SQL injection, and not effective at identifying price list modification, credential/session prediction, insufficient authorization, and other logical vulnerabilities.
It would be nice to fully categorize which vulnerabilities (or classes of vulnerabilities) can be checked for via automated tests and which only a human can check.
