[WEB SECURITY] which is the best web application vulnerabilityscanner

Arian J. Evans arian.evans at anachronic.com
Wed May 4 16:35:02 EDT 2011

"Nothing is stopping you two firing two scanners at the same time"

As someone who has tried this many, many times I can tell you with
conviction it just doesn't work. Anyone who has tried this with any
meaningful scanner configuration knows this won't work for obvious

The most obvious reason this "run multiple scanners in parallel"
doesn't work is that their test injections will stomp all over each
other and also wrangle responses. Especially in persistent fields.

You will get both false positives and false negatives.

Then we get to scanner state and timeout issues, and threading issues.
But I will stop my list there unless you want me to go on.

I simply share this wisdom to help any new folks on this list avoid
the headache that will ensure should they download and fire up 2-4
scanners in parallel on websites with lots of persistent data inputs.

For unauth brochureware, sure, have at it, at least until the app falls over.

Arian Evans
Software Security Scanner Singularities

On Wed, May 4, 2011 at 12:55 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> 1. In corporate environments you cannot only download any tool (specially freeware ones) and run it, those need to be approved tools or at least it should be that away, I cannot imagine a Company allowing its users to download/run anything they want.
> If corporate "security" policies prevent the actual security team from
> leveraging security testing tools, then... you probably have a problem
> more significant than selecting the right tool ;-)
>> 3. Scanners run in a Corporate environment must be allowed by IDS/IPS, WAF, so on to go through and reach the target, as you know, every scanner has a http header that identifies it with the Network, with your approach, the Networking Team, will need to allow different scanners in the network, by the way, also those could be the ones from malicious guys.
> Ditto if you whitelist access to your systems based on HTTP header layout ;-)
> /mz
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list