I made significant changes between when the CD was created for the DEF CON attendees,and when I actually gave the presentation; Attached is the version I used during the talk:
Please note that the statistics associated with various web scanners were performed over a series of 10 trials-5 SQLi, and 5 CMD injection using various vulnerable web pages. As an addendum, I'm not the most proficient Burp user (I claim no significant proficiency / wizardry), so the extensive number of queries that I reported in the charts could be reduced with a more educated user of the tool in question. My approach when gathering the data was to configure a given tool such that the following would hold true:- The primary concern is non-manual interaction with the scanning tool
- The secondary concern with tool configuration is to create an exploit (if the tool allows for such)
- The tertiary concern is with vulnerability identification
- The quaternary concern is with stealth (I.E., least number of requests per amount of time)
Hopefully that should provide a better context for the results presented in the slides.
-soen
No comments:
Post a Comment