[nycphp-talk] more crappy programs: security focus 230 - 232
Chris Shiflett
shiflett at php.net
Thu Jan 22 12:47:10 EST 2004
--- jon baer <jonbaer at jonbaer.net> wrote:
> in the "real world" is nessus pretty much a legit testing method based
> on php developers experience? for example go here:
>
> http://cgi.nessus.org/plugins/search.html
>
> and type "php" ... what pops up seems to be php sigs for examining some
> more common php apps, what id like to see a bit of a more compact type
> of nessus which can take those same sigs + sql injections + some other
> nasties and put into a free tool (maybe developed in php) ...
Well, nessus is open source (I couldn't tell if you were suggesting
otherwise), and it's basically just a tool that has a nice plugin
architecture. So, most of its actual usefulness comes from the plugins and
not so much the tool.
Since anyone can write a plugin, I imagine that there are some good
plugins and a lot of bad ones. I can't imagine automating Web application
security with a lot of success, and most of those PHP plugins appear to
test for specific known vulnerabilities in popular PHP packages such as
the Nukes and phpBB (all of which are favorites on Security Focus).
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
More information about the talk
mailing list