Re: [Professional IT Security Providers - Exposed] QuietMove ( D - )

["Andre Gironda" <andreg () gmail com>]

On Jan 1, 2008 9:51 PM, reepex <reepex () gmail com> wrote:
> ok so they are nothing alike because ptp/hts actually teach you stuff while
> "UPT" was for jokes... so your post was stupid

The joke's on you since you don't have the context.

> I am not a part of secreview but I realize following email threads is very
> complicated for you.

It's not complicated.  I simply just don't care about who you are as
it relates to the thread.  You appear to be attacking the
person/people I'm defending, while at the same time defending the
secreview post.

> So you list 5 tools they use then mention they modify a javascript
> library...  So basically they use automated tools and  are former  web
> developers ... sound pretty hardcore

Javascript is more than just a language for web developers, especially
when utilized in the Hailstorm SmartAttack library, which isn't a
Javascript library.  These are completely different concepts.  It
should also be noted that both Burp Suite and Hailstorm ARC can be
used in manual and hybrid modes... with step-modes and form-trainers.
They can modify their traversals and have tons of extra customization
on top of what other offerings provide... and can customize the
underlying "data-driven" attacks.

Certainly you've read some of Adam Muntner's comments on, say,
ha.ckers.org and other places?

Allow me to pick on someone in the industry for a second: RSnake.

RSnake has an advertisement up on his website that asks, "Which web
application scanner can hack it?" "Check the Oct 15 post for study
results:"
http://ha.ckers.org/blog/20071014/web-application-scanning-depth-statistics/

Most idiots will only read what RSnake / Larry Suto have written, and
will completely miss the comments by Adam Muntner.  Adam not only
eloquently puts down the testing techniques by Larry Suto, but also
makes mention about proper customization of tools and testing outside
of the commercial scanners.

Effectively, Adam Muntner is one of the only people that does
understand this problem that you specifically says that he does not,
and that the secreview challenge seems to care about most of all other
points.

Where was reepex, where was secreview when RSnake and Larry Suto
blundered our industry into submission?  Why pick on a hero like Adam
Muntner instead?  What are you getting out of it?

Worse - RSnake hasn't been called out on this yet - but he has good
reason to promote Larry's paper.  In fact, it may even be a monetary
reason.  In an article for INSECURE Magazine, they interview RSnake
(page 30):
http://www.net-security.org/dl/insecure/INSECURE-Mag-14.pdf

Question; What web application scanners do you use?

RSnake: [...] my favorite tools in my arsenal (including the manual
ones) are: Burp Suite, THC Hydra, fierce, Nessus, Nikto, nmap,
NTOSpider (commerical), httprint, Cain, sn00per, Absynthe, Sqlninja, a
half dozen Firefox plugins like Webdeveloper, JSView, NoScript,
Greasemonkey etc... and the entire suite of unix utils out there, like
wget, telnet, ncftp, etc.

Notice the only commercial tool listed in NTOSpider.  Coincidence?

Apparently, too much admiration of a single web application security
scanning vendor can be a bad thing.  Larry Suto has only ever worked
with Eric Caso at NTObjectives.

Adam Muntner has been a customer of several CWE-Compatible and
aspiring companies out there.  He has a balanced view of both the
commercial tools and the open-source world, as well as building his
own tools from scratch as the need may be.

> You must be a cissp because you take yourself and the internet very
> seriously. I am pretty sure no one cares about your opinion either.

Wrong again; as always.

Cheers,
Andre

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/