[WEB SECURITY] open source tools is not as good as imaged

Andre Gironda andreg at gmail.com
Sun Jun 5 18:42:01 EDT 2011

On Sun, Jun 5, 2011 at 8:31 AM, psiinon <psiinon at gmail.com> wrote:
> Have you tried the OWASP Zed Attack Proxy -
> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project?
> It is open source and completely free (there is no paid for 'pro' version).
> Its also intended to be a community project - so we encourage involvement.
> If you submit good quality code then you'll get commit access :)
> Psiinon - OWASP ZAP Project Lead.

Any intent to improve the wavsep.googlecode.com or
wivet.googlecode.com results from ZAP?

ZAP scores worse than both Andiparos and Paros on SQLi categories, and
worse than most tools in other categories when run against WAVSEP.
It's also one of the worst crawlers, as seen in its WIVET results.

Many tools such as W3AF can export their findings as XML (and their
request data as HTML,Ajax,Ruby,Python), which can be imported into The
Dradis Framework (which outputs its own XML, or to HTML, Word, or
Mediawiki). Burp Pro Scanner can export its data as XML and HTML, and
so does the "analyse target" tool -- plus you can save
request/response data in Repeater and store session files that contain
this data. Fiddler can save a SAZ file full of request/response data
and export as a variety of Microsoft Internet Explorer and Visual
Studio XML formats. Do you have any plans to make ZAP more extensible
in these ways?

More information about the websecurity mailing list