[WEB SECURITY] which is the best web application vulnerabilityscanner
ryandewhurst at gmail.com
Wed May 4 13:54:46 EDT 2011
I'm sorry, but I have to disagree.
"Use as many as possible (to a degree)." was my original quote.
I'm not saying use every scanner at your disposal, pick 3 or 4 which you
find work best for you. Never rely on just one automated blackbox web
It is true in a commercial environment you are restricted by time and scope.
But nothing is stopping you from firing two scanners at a time. You will
spend slightly more time validating the scanner results but the benefits
outweigh this by a long shot. You still only have to write one report from
"What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix"
Then you have 18 potential vulnerabilities to investigate, if they are all
unique, some (most) will probably be the same vulnerability, but one or two
may not be.
I always run Nikto on every test, as well as, Dirbuster as well as w3af, as
well as a local proxy tool and lots of other tools which aid me in my work.
And of course, don't ever just rely on automated blackbox scanners.
My original point was, use whatever tools and as many tools that are going
to aid you in finding and exploiting bugs (vulnerabilities).
projects www.dvwa.co.uk | www.webwordcount.com
On Wed, May 4, 2011 at 6:40 PM, <neza0x at gmail.com> wrote:
> "Use As many as possible scanners" mmmmm??? Technically could be, but in
> the real Corporate world, you only have some days to test and validate, so,
> more scanners, more time to run/validate and multiple different reports too
> generate. Without any consistency.
> What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix?
> When the developer says, please re-scan! Crap!!!
> Too much maintenance.
> My suggestion would be, stick with one of the well known ones: Acunetix,
> Appscan or WebInspect and add to your process "Educating Testing", which
> means, take the results of the scan and do a more intelligent-human test on
> the requests that look "bypassable".
> With this approach you could narrow down the gap of missing defects.
> And actually, the real critical vulns are found by humans not by scanners
> My recommendation is to use an scan that allows macro creation so that you
> can reach sections that the scanner itself cannot.
> Think of a process with 4 steps where the first one is to enter the invoice
> number or credit card, the scanner will never guess it and therefore not
> able to touch next steps/sections/urls/parameters.
> What about gotcha-enable apps??
> Webinspect supports macros, Acunetix (at least in the version I used years
> ago) only supports login macros.
> Good luck.
> Sent via BlackBerry from Danux Network
> -----Original Message-----
> From: Ryan Dewhurst <ryandewhurst at gmail.com>
> Sender: websecurity-bounces at lists.webappsec.org
> Date: Wed, 4 May 2011 18:01:19
> To: dave b<db.pub.mail at gmail.com>
> Cc: <websecurity at webappsec.org>
> Subject: Re: [WEB SECURITY] which is the best web application vulnerability
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity