[WEB SECURITY] which is the best web application vulnerabilityscanner

Arian J. Evans arian.evans at anachronic.com
Wed May 4 14:38:08 EDT 2011


responding to your statements below:

None of the scanners provide meaningful depth/coverage
run in point-and-shoot mode. In addition, their tests will
stomp all over each other and conflict if run concurrently.

So, the "run a bunch of different scanners" and "you
can run them in parallel" advice does not work beyond
testing simple, unauth brochureware.

This is despite the obvious fact that few people have
time to effectively run one DAST or SAST scanner
on all their apps when they need to/when their code
changes. Adding more tools will not help, but I digress.

I can see the more limited use-case where a consultant
on a pen-test engagement with enough time may choose
to run more than one tool. But that doesn't translate over
to corporate application security.

---
Arian Evans
Software Security Scanning Stuff


On Wed, May 4, 2011 at 10:54 AM, Ryan Dewhurst <ryandewhurst at gmail.com> wrote:
> I'm sorry, but I have to disagree.
>
> "Use as many as possible (to a degree)." was my original quote.
>
> I'm not saying use every scanner at your disposal, pick 3 or 4 which you
> find work best for you. Never rely on just one automated blackbox web
> application scanner.
>
> It is true in a commercial environment you are restricted by time and scope.
> But nothing is stopping you from firing two scanners at a time. You will
> spend slightly more time validating the scanner results but the benefits
> outweigh this by a long shot. You still only have to write one report from
> the results.
>
> "What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix"
>
> Then you have 18 potential vulnerabilities to investigate, if they are all
> unique, some (most) will probably be the same vulnerability, but one or two
> may not be.
>
> For example:
> I always run Nikto on every test, as well as, Dirbuster as well as w3af, as
> well as a local proxy tool and lots of other tools which aid me in my work.
>
> And of course, don't ever just rely on automated blackbox scanners.
>
> My original point was, use whatever tools and as many tools that are going
> to aid you in finding and exploiting bugs (vulnerabilities).
>
> Ryan Dewhurst
>
> blog www.ethicalhack3r.co.uk
> projects www.dvwa.co.uk | www.webwordcount.com
> twitter www.twitter.com/ethicalhack3r
>
>
> On Wed, May 4, 2011 at 6:40 PM, <neza0x at gmail.com> wrote:
>>
>> "Use As many as possible scanners" mmmmm??? Technically could be, but in
>> the real Corporate world, you only have some days to test and validate, so,
>> more scanners, more time to run/validate and multiple different reports too
>> generate. Without any consistency.
>>
>> What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix?
>>
>> When the developer says, please re-scan! Crap!!!
>>
>> Too much maintenance.
>>
>> My suggestion would be, stick with one of the well known ones: Acunetix,
>> Appscan or WebInspect and add to your process "Educating Testing", which
>> means, take the results of the scan and do a more intelligent-human test on
>> the requests that look "bypassable".
>>
>> With this approach you could narrow down the gap of missing defects.
>>
>> And actually, the real critical vulns are found by humans not by scanners
>> :-)
>>
>> My recommendation is to use an scan that allows macro creation so that you
>> can reach sections that the scanner itself cannot.
>> Think of a process with 4 steps where the first one is to enter the
>> invoice number or credit card, the scanner will never guess it and therefore
>> not able to touch next steps/sections/urls/parameters.
>>
>> What about gotcha-enable apps??
>>
>> Webinspect supports macros, Acunetix (at least in the version I used years
>> ago) only supports login macros.
>>
>> Good luck.
>> Sent via BlackBerry from Danux Network
>>
>> -----Original Message-----
>> From: Ryan Dewhurst <ryandewhurst at gmail.com>
>> Sender: websecurity-bounces at lists.webappsec.org
>> Date: Wed, 4 May 2011 18:01:19
>> To: dave b<db.pub.mail at gmail.com>
>> Cc: <websecurity at webappsec.org>
>> Subject: Re: [WEB SECURITY] which is the best web application
>> vulnerability
>>        scanner
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>




More information about the websecurity mailing list