[WEB SECURITY] which is the best web application vulnerability scanner

Steve Lockwood steve at lochnetsystems.com
Tue May 3 20:05:56 EDT 2011


Has anyone used the free version of Acunetix lately? The free version 
only scans for XSS but version 7 does not seem to identify ANY XSS 
vulnerabilities. I still have version 6.5 and it finds many XSS in my 
test app, but version 7 finds zero.



On 5/3/11 2:14 PM, Andre Gironda wrote:
> On Mon, May 2, 2011 at 7:22 PM, 孙松柏<lukesun629 at gmail.com>  wrote:
>> which is the best web application vulnerability scanner .among the free
>> software like
>> Arachni
> The WebUI is nice. Written in Ruby and requires Rails. Best installed
> using RVM. Doesn't really stand out yet otherwise.
>
>> JBrofuzz
> You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster,
> and admin-scan.py -- combine them (sort + uniq) -- and then run them
> through a single-pane-of-glass tool like Burp Suite Professional (or
> Fiddler, et al) or a command-line tool such as dirb. This is a very
> common penetration-testing tactic.
>
>> Websecurify
> There is a Google Chrome/Chromium extension/app. This tool is best
> used when customized internally, which requires heavy knowledge of
> Javascript, especially as a browser/application driver (which is a
> rare skillset to have).
>
>> Nikto
> This tool is mentioned along with others in the book, "Backtrack 4:
> Assuring Security by Penetration Testing". There are some clear
> examples of running the tool as well as anecdotes about its
> usefulness. I highly encourage you to check out this book for other
> non-obvious reasons that will perhaps become obvious after you read
> it.
>
>> Wapiti
> Great tool, but works only in certain situations. Probably a good tool
> to combine with other tools that can rewrite headers and perform
> passive analysis, such as Burp Suite Professional or Fiddler with
> Casaba Watcher. I especially like how Wapiti can specify POST-only
> attacks. It's written in Python.
>
>> W3AF
> This is one of the best tools because it stands alone in its support
> of key innovations in webappsec technology. It has the best
> open-source crawler, as seen from the wivet.googlecode.com results.
> Many people think that W3AF is all Python, but it's really a mix of
> languages -- especially not that it's founders and developers work for
> Rapid7 (classically known to be a Ruby appdev shop). My favorite
> features of W3AF are the spiderMan discovery plugin, all of the grep
> plugins (which can be imported into Burp via the Burp Python extension
> API), and some of the attack/evasion plugins. The emailReport plugin
> is handy, the XML output is excellent (and it has its own XSD), and
> the Export Request Tool feature is one of my favorites -- allowing
> export of attacks to various languages, including HTML, Ajax, Python,
> and Ruby (note that these are best when imported into HtmlFixture in
> FitNesse, or used on a build/CI server as integration tests).
>
>> Skipfish
> It's written in C and super-fast, with some really interesting
> capabilities. The crawler isn't bad, but it's not quite as good as
> W3AF (or some commercial tools). I like the "-D" flag the most, and
> the ability for this tool to go through those
> JBroFuzz/fuzzdb/admin-scan.py/DirBuster lists is unmatched --
> especially given its other capabilities to lean on dictionaries for
> predictable-resource-location attacks.
>
>> Grendel-Scan
> Terrible performance, scalability, and usability. I don't believe the
> author promotes its usage anymore.
>
>> Grabber
> I've always liked this tool, but it's a bit of a project; almost
> academic. The author went on to do more with Python, such as the
> BlackSheep browser that performs security testing.
>
>> wikto
> I'm not sure this is supported anymore -- it was replaced by Suru many
> years ago, which itself has not been updated in some time. Many of the
> search/dorking capabilities are replaced by newer tools such as
> SeachDiggity.
>
> ==
> My personal recommendation is to learn the concepts in Tamper Data and
> to build on webappsec knowledge in order to write your own scanner(s).
> The ones that you build for yourself will always be "the best",
> because you're the customer (and you know yourself and your testing
> capabilities, especially test case design and test case organization
> along with time management and other principles).
>
> The commercial tools are a waste of time, money, and I'd like to say
> many other bad things about them. However, both Netsparker and
> WebInspect have crawlers and manual modes that can be useful in rare
> circumstances -- so I add them to my toolchain, which is usually
> dominated by Tamper Data, Burp Suite Professional, W3AF, and Fiddler
> with Casaba Watcher and x5s. However, I find many other tools useful
> at times.
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

-- 
Steve Lockwood
LochNET Systems, LLC.
Mobile: (727) 512-8408
Email: steve at lochnetsystems.com
http://www.lochnetsystems.com




More information about the websecurity mailing list