Differences Between Web Application Scanning Tools When Scanning for XSS and SQLi

Explore an in-depth investigation into the differences between web application scanning tools for detecting XSS and SQL injection vulnerabilities in this AppSecUSA 2017 conference talk. Delve into the challenges faced by automated scanners as web technologies evolve, using the 2015 TalkTalk hack as a case study to highlight the critical importance of secure web applications. Examine how various scanning tools attempt to identify dangerous vulnerabilities and the impact of modern development frameworks on their effectiveness. Learn about the problems scanners encounter with both traditional and contemporary web architectures, including issues like Anti-CSRF tokens, recursive links, and dynamically generated URLs. Gain insights into potential improvements for automated scanning and understand the pitfalls of relying solely on automation without applying intelligence and context. Benefit from the expertise of Robert Feeney, SecOps Lead at Edgescan, as he shares his knowledge on web application security and managed services.

Introduction
Agenda
About Me
Verizon Data Breach Report
Notable Web Breaches
Automated Web Application Scanning
Why Johnny Cant Pentest
Experiment Setup
Experiment Overview
Key Findings
Attack Vectors
Stored XSS
Solution
Known Pitfalls
CAPTCHAs
Multistep Logins
Surf Tokens
NonStandard Error Messages
NonStandard Protocol
Name Level Check
Component Security