login

Burp Suite, the leading toolkit for web application security testing

PortSwigger Web Security Blog

Sunday, 16 November 2008

[MoBP] Sucky scanners

How many people have used a commercial scanner to look for vulnerabilities in web applications? Lots of you, right.

And who thinks that the scanner they use is as good as it could possibly be?

Anyone? Anyone? Bueller?

I often talk to people about their experience with web scanning products, and these are the complaints I hear:

  • They are too slow, and provide little feedback or control over what they are doing during scans.

  • They try to perform checks that can't be reliably automated, resulting in too many false positives.

  • Even with the core input-based bugs that should be their bread-and-butter, they miss too much low hanging fruit.

  • Their issue reporting is often vague and generic, requiring a lot of manual work to confirm issues and produce write-ups that you can give to a customer.

  • They are too expensive.

If you would like to see a web scanner that addresses some of these issues, then watch this space. If you would like to see one that addresses all of them, then experience a pleasurable quickening of the heart rate. And still watch this space.

2 comments:

Anonymous said...

you sir, are my hero

i cant wait to see what you cooked for us :)

Christian said...

Man.. I'm so looking forward to the new Burp. The MoBP has been awesomely tantalising!

Blog Archive


User Forum

Get help from other users, at the Burp Suite User Forum:

Visit the forum ›

Copyright 2014 PortSwigger Ltd. All rights reserved.