[WEB SECURITY] open source tools is not as good as imaged

Andre Gironda andreg at gmail.com
Sat Jun 4 20:24:23 EDT 2011

On Fri, Jun 3, 2011 at 8:18 PM, 孙松柏 <lukesun629 at gmail.com> wrote:
> hello everyone
> i recently do some pentest. i used several tools both open source and
> commerical  tools !
> for the commerical ones ,i use appscan & acunetix
> for the open source ones skipfish &arachni &w3af

wavsep.googlecode.com shows that open-source & free tools such as
Wapiti, Grabber, and Sandcat Free actually do better than the
commercial tools for SQL injection, XSS, and similar. In other words,
they have lower false positives and less false negatives because of
their injection and analysis techniques. I have not yet seen the
wavsep numbers for Acunetix or Appscan, but I have seen the numbers
for most other commercial scanners. It is possible that Appscan and
Acunetix perform better than Skipfish, Arachni, and W3AF -- but I
would assume that they do much worse than Wapiti, Grabber, and Sandcat
Free when pitted against the categories where those tools did well.

Open-source & free tools do not benchmark as well with regards to
crawling as shown in the wivet.googlecode.com results. This may cause
the open-source tools to miss hostnames, IP addresses, virtual hosts,
URI's, parameters, forms, custom headers (including cookies), and
links that can be extracted from the various places a crawler will
look for them. What's interesting is that not only that none of the
crawlers performed perfectly with regards to link extraction (possibly
because of the programming problems related to parsing malformed HTML
-- in addition to extensive problems with Ajax and Flash), but also
that they are generally incapable of providing the correct context to
submit an HTML/Ajax/Flash form without error or without the issuing
request reaching the appropriate server-side context as it would in a
normal use case. This sort of activity would require human
interaction, or at the very least, a Microformat (or similar

Many application penetration-testers prefer to use a browser and read
the HTML/Ajax/Flash content in order to accurately extract links and
provide context to forms. They will run all of their activities
through a web proxy such as Burp Suite Free Edition, Burp Suite
Professional, Fiddler, W3AF spiderMan discovery plugin, Watobo, and
others. The IBurpExtender interface for Java in Burp Suite
Professional is top notch, which is why it is the #1 tool of choice
for web application security professionals since late 2006 when it
became available. However, the other web proxies I mentioned are
utilized by some professionals for a variety of reasons: Fiddler also
has a rich extension capability, seen through its plugins (often .NET)
-- and W3AF and Watobo are open-source projects with tons of
extensibility and rich feature-sets.

Thus, the best tools are custom-built using scripting language support
for the IBurpExtender interface, found in Burp Python and Buby, and
custom lists that can be leaned on for fault-injection such as
SVNDigger and fuzzdb. This is unlikely to change without 5 years of
investment like has been done with the IBurpExtender interface,
however it is possible that a commercial scanner solution could find a
way to branch into this testing model.


More information about the websecurity mailing list