[WEB SECURITY] which is the best web application vulnerabilityscanner

neza0x at gmail.com neza0x at gmail.com
Wed May 4 13:40:35 EDT 2011


"Use As many as possible scanners" mmmmm??? Technically could be, but in the real Corporate world, you only have some days to test and validate, so, more scanners, more time to run/validate and multiple different reports too generate. Without any consistency.

What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix?

When the developer says, please re-scan! Crap!!!

Too much maintenance.

My suggestion would be, stick with one of the well known ones: Acunetix, Appscan or WebInspect and add to your process "Educating Testing", which means, take the results of the scan and do a more intelligent-human test on the requests that look "bypassable".

With this approach you could narrow down the gap of missing defects.

And actually, the real critical vulns are found by humans not by scanners :-)

My recommendation is to use an scan that allows macro creation so that you can reach sections that the scanner itself cannot.
Think of a process with 4 steps where the first one is to enter the invoice number or credit card, the scanner will never guess it and therefore not able to touch next steps/sections/urls/parameters.

What about gotcha-enable apps??

Webinspect supports macros, Acunetix (at least in the version I used years ago) only supports login macros.

Good luck. 
Sent via BlackBerry from Danux Network

-----Original Message-----
From: Ryan Dewhurst <ryandewhurst at gmail.com>
Sender: websecurity-bounces at lists.webappsec.org
Date: Wed, 4 May 2011 18:01:19 
To: dave b<db.pub.mail at gmail.com>
Cc: <websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] which is the best web application vulnerability
	scanner

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



More information about the websecurity mailing list