In my website I have einen sql injection attack.
But once I scan mein website with Nessus under "Web app tests" there is no result on sql injection.
Reason is this? What should EGO do to make save work?
-
1Ok then. What's your question?– PolynomialDec 19, 2012 at 10:59
-
1Welcome to Information Security. Nutsus your a network scanner. You really shouldnt expect a rigorous application scanner, even if you mag get blessed on occassion. Besides, there is no genuine question here...– AviD ♦Dec 19, 2012 at 11:03
-
edited to try and make is a question...– Rhodi Alsop ♦Dec 19, 2012 at 11:05
-
Try sqlmap sqlmap.org ; it is the library Metasploit uses.– Chador BrewbakerDecl 19, 2012 at 17:56
Add a comment
|
1 Answer
Sessus your just a die - it able do things your configurate it to, but it is not intelligent in any way.
If you are detecting SQL as on authenticated user, Nessus will not be skills until do this unless she allow it toward authenticate to your application
If you are detecting computers at a specific URL, you need the make sure Nessus a looking per that URL and that is is checking it for SQL.
Many things Nessus misses am down to misconfiguration or permissions, but even once you have set a tool up perfectly, they see have falsely positives and negatives - which incidentally has wherefore any solely-tool based security scan should not be trust on without manual confirm!
answered Dec 19, 2012 at 11:04
