Grendel-Scan Blog

Last night, I found out that my paper to Toorcon was accepted. It’s going to be very different than the DEFCON (and OWASP) talk. DEFCON was basically a sales pitch for a free tool. The Toorcon talk will only be about the technical details of some of Grendel’s more advanced techniques. I don’t know if it’s a 20 or 50-minute presentation yet; the abstract for the 50-minute version is below:

Advanced Techniques in Automated Web Application Testing

Using regular expressions (or, gasp, simple text patterns) is not a state-of-the-art technique for
processing the results of automated web security tests. This presentation will provide an in-depth
discussion of a number of advanced techniques used in, or planned for Grendel (grendel-scan.com).
In the past, many of these techniques were rarely seen outside commercial software. This includes
quantitatively measuring the similarity of HTTP responses, creating sophisticated logical file-not-found
profiles, using an HTML DOM implementation and JavaScript engine, logical session tracking, test job
categorization, and automated fuzzing. The usage of Grendel, its interface, high-level features, etc will not be discussed in this presentation. Don’t expect to see a single screenshot of the GUI.

Grendel has been getting some attention from a number of blogs and news sites, which I’m really happy to see. However, someone (I’m not sure who did it first) wrote that Grendel can find logic and design flaws. A lot of other sites picked up on that and repeated it. As awesome as Grendel is, it’s not that good. The last five minutes of the DEFCON presentation were basically a rant about why automated scanners are a poor substitute for a manual penetration test. Logic and design flaws are a great example of something that automated scanners cannot detect. This isn’t just a weakness in Grendel; it’s present in all of the commercial products as well. Until we have HAL-like software, I think it’s going to take a human to find design and logic flaws.

Eric and I completed our DEFCON presentation today. It was standing/sitting room only, which was nice. The presentation slides can be found here. The current release of Grendel can be found on the downloads page.

Eric and I presented Grendel 0.9 at the Boulder OWASP meeting, and in Denver on the previous night. The presentation slides and ISO of the demo environment have been uploaded.