[WEB SECURITY] which is the best web application vulnerabilityscanner

neza0x at gmail.com neza0x at gmail.com
Wed May 4 14:31:33 EDT 2011


"Nothing is stopping you two firing two scanners at the same time",
Let me give you 3 examples of someone stopping me/all:

1. In corporate environments you cannot only download any tool (specially freeware ones) and run it, those need to be  approved tools or at least it should be that away, I cannot imagine a Company allowing its users to download/run anything they want.

2. Dedicated scanners: some companies have dedicated servers to install/run scans, by adding a new tool, you might want to add a new server if you want to fire up two scans at the same time. Money wise. 

3. Scanners run in a Corporate environment must be allowed by IDS/IPS, WAF, so on to go through and reach the target, as you know, every scanner has a http header that identifies it with the Network, with your approach, the Networking Team, will need to allow different scanners in the network, by the way, also those could be the ones from malicious guys.

Bottom line, it depends on your environment, for Corporate ones, at least in the three 500-Fortune Companies I have worked for, does not work that way.
Sent via BlackBerry from Danux Network

-----Original Message-----
From: Ryan Dewhurst <ryandewhurst at gmail.com>
Date: Wed, 4 May 2011 18:54:46 
To: <neza0x at gmail.com>
Cc: <websecurity-bounces at lists.webappsec.org>; dave b<db.pub.mail at gmail.com>; <websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] which is the best web application vulnerabilityscanner

I'm sorry, but I have to disagree.

"Use as many as possible (to a degree)." was my original quote.

I'm not saying use every scanner at your disposal, pick 3 or 4 which you
find work best for you. Never rely on just one automated blackbox web
application scanner.

It is true in a commercial environment you are restricted by time and scope.
But nothing is stopping you from firing two scanners at a time. You will
spend slightly more time validating the scanner results but the benefits
outweigh this by a long shot. You still only have to write one report from
the results.

"What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix"

Then you have 18 potential vulnerabilities to investigate, if they are all
unique, some (most) will probably be the same vulnerability, but one or two
may not be.

For example:
I always run Nikto on every test, as well as, Dirbuster as well as w3af, as
well as a local proxy tool and lots of other tools which aid me in my work.

And of course, don't ever just rely on automated blackbox scanners.

My original point was, use whatever tools and as many tools that are going
to aid you in finding and exploiting bugs (vulnerabilities).

Ryan Dewhurst

blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r


On Wed, May 4, 2011 at 6:40 PM, <neza0x at gmail.com> wrote:

> "Use As many as possible scanners" mmmmm??? Technically could be, but in
> the real Corporate world, you only have some days to test and validate, so,
> more scanners, more time to run/validate and multiple different reports too
> generate. Without any consistency.
>
> What if you find 10. Vulns in Webinspect, 5 in AppScan and 3 in Acunetix?
>
> When the developer says, please re-scan! Crap!!!
>
> Too much maintenance.
>
> My suggestion would be, stick with one of the well known ones: Acunetix,
> Appscan or WebInspect and add to your process "Educating Testing", which
> means, take the results of the scan and do a more intelligent-human test on
> the requests that look "bypassable".
>
> With this approach you could narrow down the gap of missing defects.
>
> And actually, the real critical vulns are found by humans not by scanners
> :-)
>
> My recommendation is to use an scan that allows macro creation so that you
> can reach sections that the scanner itself cannot.
> Think of a process with 4 steps where the first one is to enter the invoice
> number or credit card, the scanner will never guess it and therefore not
> able to touch next steps/sections/urls/parameters.
>
> What about gotcha-enable apps??
>
> Webinspect supports macros, Acunetix (at least in the version I used years
> ago) only supports login macros.
>
> Good luck.
> Sent via BlackBerry from Danux Network
>
> -----Original Message-----
> From: Ryan Dewhurst <ryandewhurst at gmail.com>
> Sender: websecurity-bounces at lists.webappsec.org
> Date: Wed, 4 May 2011 18:01:19
> To: dave b<db.pub.mail at gmail.com>
> Cc: <websecurity at webappsec.org>
> Subject: Re: [WEB SECURITY] which is the best web application vulnerability
>        scanner
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110504/880113b0/attachment-0003.html>


More information about the websecurity mailing list