FUNNY: Things we'd like to see in new App Scanners

Please feel free to add to this list. And if there are vendors reading this, this is tongue in cheek.

What if web application scanners were as modern as web applications? Some of the features we might see:

  • Posting reflected XSS, XSRF, command-injection flaws exploitable with GET on del.icio.us and ma.gnolia automatically
  • Victims can rank their favorite flaws
  • Screenshots get posted to flickr automatically
  • Mashup with Google Maps shows where flaws are found geographically
  • Every finding has links for posting to /. and digg
  • XSS flaws on public-facing site get posted automatically in important sites such as sla.ckers
  • Applets or downloaded servlet code are automatically decompiled using jad, source files get LGPL applied so they're open source, new project created on sourceforge, and all the source is indexed in Google Code Search
  • Manual hacks are recorded, results sent to youtube
  • Feeds of most recent findings
  • Fixes added as To Do items at 43things and Remember the Milk
  • SMS notifies the assessor when brute force is complete
  • Developer names found in comments are looked up in Google Groups and MySpace
  • Scanner is controlled via a module on my Goowy webtop
  • Best XSS 'sploits are automatically tested against MySpace
  • Reflected XSS are fed automatically to the best phishing kits
  • No scanner would ever come out of Beta
What am I missing?


  1. LinkedIn could be used to find responsible parties and report vulnerability information through private messages.

    The scanner could automate this process by creating trashmail/dodgeit/mailinator accounts on Jigsaw and getting the business cards on a per-company basis. Using asterisk (and spoofing the callerID of another reputable employee) and Festival (text-to-speech), it could explain to the vendor what the vulnerability is. Using a more "Marylin Monroe" voice than a Steven Hawking voice would probably get vendors to pay closer attention to these cold [wakeup] calls.

    Of course, web administrators and security professionals representing an organization could get on Gabbly (as their own website) and the scanner could report findings and remediation steps over a chat interface.

    Scanners could also use blackhat SEO techniques like parasite hosting and cloaking to make new findings of the day appear at the top of search engines, media, and other blogs/reports. Image spam techniques could also be used to notify responsible parties. Scanners could use blog spam techniques to report new findings to administrator and security professionals' personal or work blogs.

    Web worms could be used to provide output filtering on site-wide XSS and CSRF by just-in-time patching these vulnerabilities in real time.

  2. Mark Curphey05:59

    It is such a shame that OWASP Barretta never got traction. All of these things would be very possible with it.

  3. Anonymous05:08

    Did you know that you cannot add your own license into software licensed by others like that?