3

I've just used a security vendor's automated PCI scanning tool to scan my web server.

It only has the ability, out of the box, to scan URLs as an un-authenticated user. This means it is only scanning my login page and any other URLs it can crawl/guess, and only in one mode (that is, all of the pages have significantly more functionality available when logged in).

Is there any known PCI scanning tool that allows scans as an authenticated user for better coverage? I can imagine making a restricted login for the tool, and then specifying the login/password or a cookie as part of the scan configuration.

Perhaps I am confusing the purpose of PCI scanning, and it's meant to be a black box test. It seems if this is the case, the only next possible step in better penetration testing for me is to hire a security vendor to do manual white box testing.

Yoshi
  • 133
  • 3

2 Answers2

1

Have you tried looking more into the options that may be available in the tool? Personally, I tend to favor Acunetix, which does allow the creation of a login script so that it can scan as both an authenticated and non-authenticated user. The only downside to this is that you are only able to setup a single login script for each individually run scan, whereas, some applications will have multiple seperate authenticated area's.

Lyndon Vrooman
  • 131
  • 3
  • I was thinking more in terms of PCI scanning as advertised by and its inherit limits. Thanks for the link to Acunetix, though, as it seems something like this is the next step up from PCI scanning. – Yoshi Oct 20 '11 at 21:43
1

A PCI ASV scan is a black box test. It is meant to certify a minimum level of security which you must achieve to receive passing results (and be considered 'PCI Compliant'). The web crawling portion is only a small part of the total ASV scan.

I agree it would be helpful to have your site tested with a credentialed login. But, if you did provide credentials to your ASV, technically it wouldn't be an ASV scan anymore.

It is possible that some ASVs provide this option as an additional service but that would be up to the ASV. There are other scanning tools and vendors that you could use for this specific test. Nessus is one that comes to mind.

freb
  • 1,401
  • 8
  • 14
  • That makes sense. I was just a bit surprised that the PCI scan would cover so little of the surface of my website (and therefore test so few attack vectors), because the marketing terms laud a compliant scan as evidence of being "hacker safe" or "hacker proof" - quite laughable. Do you have an examples of vendors that perform tests with a credentialed login, because I would prefer to use a SaaS solution? – Yoshi Oct 20 '11 at 21:50
  • I'm not aware of any automated solutions that allow credentials. If you used a more manual solution I'm sure they wouldn't have any problem using credentials you supply. I agree those marketing terms are both laughable and misleading. PCI is good but not sufficient for those with real security concerns. – freb Nov 04 '11 at 18:56