

Webseclab – Web security test cases and a construction toolkit - Allstar
https://github.com/yahoo/webseclab

======
dguido
If you're planning on scanning all of your web apps at scale, you probably
want to know what you can find and what you'll miss.

As for competitors, I think there is WavSep but I'm not sure how suitable it
is for Yahoo's use case (it looks like an overgrown J2EE app). People involved
in that project infrequently rank scanners on their blog:

* [https://code.google.com/p/wavsep/](https://code.google.com/p/wavsep/)

* [http://sectooladdict.blogspot.ro/2014/02/wavsep-web-applicat...](http://sectooladdict.blogspot.ro/2014/02/wavsep-web-application-scanner.html)

I have the feeling that the Yahoo bug bounties are about to get a whole lot
harder to claim.

~~~
dsacco
This is good news. Yahoo has demonstrated that they can manage the largest bug
bounty program in the world. Now it's time to elevate the difficulty of
finding vulnerabilities to the same status as Google or Facebook.

Unfortunately, this will do nothing for the engineering hours being sunk into
monitoring the thousands of invalid reports submitted each year.

------
what-no-tests
No tests? Hello?

------
jdawg77
This can't be because the most advanced unit in the entire United States
Military reminded the world that, last month, they _already_ played the trump
card can it?

[http://www.army.mil/article/141734/Army_cyber_defenders_open...](http://www.army.mil/article/141734/Army_cyber_defenders_open_source_code_in_new_GitHub_project/)

Nah; that must be a coincidence. After all, why would somebody after the US
Military try to convince people that their security was better? Do you
honestly think Yahoo has better stuff than the Tony Stark of the armed forces?

Please. Let's see, Ycombinator's got some ex-Yahoo's as alumni, I'm sure
they'll chime in and disagree with me any moment. Yep yep. Bring it.

~~~
dguido
Sorry, but did you even read either article before posting your unintelligible
conspiracy theory? One does packet parsing and the other verifies ability to
assess webapp vulnerabilities.

[https://github.com/USArmyResearchLab/Dshell](https://github.com/USArmyResearchLab/Dshell)

~~~
tehlark
Clearly he didn't even read the first word of the title. =)

