136 Security De-engineering
trusted to handle the assessment, and false positives will be produced
that will need later analysis by a technical expert.
Some tools can detect a blatant cross-site scripting problem where
the submitted marked up attack string is returned in the “next page”
generated by the application, but the malevolent user input can be
“stored” in many places in the application output, such as in logs or
alert messages, or emails sent out by the application.
Generally speaking, there is slightly more advantage to be gained
in usage of Web autoscanners as compared with autoscanners, but in
terms of business-critical Web applications, it comes nowhere near the
level sucient for organizations to be able to avoid usage of Hac