skipfish and vulnerabilities

Started by hyperman, May 28, 2013, 10:03:28 AM

Previous topic - Next topic

hyperman

hi guys!  :)

i use backtrack and bacbkox for some test that i need to do.
i use some different kind of web application scanner.

usually after a scan the scanner shows vulnerabilities and the corrispondent cve code.

but with skipfish, not. :(

now i would know where i can find more information about the vulnerabilities that skipfish finds.
because the information that it gives to me are less than the necessary. :-\

but in particular, the information that it gives to me aren't specifics and so i cannot understand the gravity and the possible solutions of vulnerabilities. :-\

if you cannot help me in this way, can you indicate to me some other web scanner that show a more detailed list of vulnerabilities? ???

thank you!
regards

ZEROF

#1
Hi,

What you need to know about any web scanner, you will always get false positives. That is part when you need to use your brain and knowledge. You can use other scanners like Arachni, XSSer, Nikto and many others free or paid solutions.

And you need to learn a lot before just running some tool. That is how you need to think if you want to learn. 1st learn about all vulnerability then try to exploit them. If not, you will lose a lot of your time.

Don't ask, read : http://wiki.backbox.org
or just run sudo rm -rf /*

hyperman

Quote from: ZEROF on May 30, 2013, 12:19:57 AM
Hi,

What you need to know about any web scanner, you will always get false positives. That is part when you need to use your brain and knowledge. You can use other scanners like Arachni, XSSer, Nikto and many others free or paid solutions.

And you need to learn a lot before just running some tool. That is how you need to think if you want to learn. 1st learn about all vulnerability then try to exploit them. If not, you will lose a lot of your time.

oh sure! ;)

i now, and i use nikto, but i don't know all type of vulnerabilities.
nikto after a scan shows to you a osvbd id.
so if i don't know something i can read and search about the osvdb id and i can learn.

but with skipfish, i don't have any id, neither osvdb nor cve, so i have some difficult to understand vulnerabilities found.

i want to specify thant i don't use vulnerabilities found for exploit them for attack a web-site, i use vulnerabilities for defend my site and my web applications.

anyway thanks for the answer. =)
regards

but with skipfish, i don't have any id, neither osvdb nor cve, so i have some difficult to understand vulnerabilities found.