[WEB SECURITY] which is the best web application vulnerabilityscanner

Pete Herzog pete at isecom.org
Thu May 5 06:33:46 EDT 2011

On 5/4/2011 10:35 PM, Arian J. Evans wrote:
> "Nothing is stopping you two firing two scanners at the same time"
> As someone who has tried this many, many times I can tell you with
> conviction it just doesn't work. Anyone who has tried this with any

 From the many, many testing scenarios we studied through Hacker 
Highschool and OPST exams, we found that testing in parallel where 
tools sent packets and waited for a reply, the main problem was 
packets lost at the host. That means we could track them back tot he 
sending host where they never make it to the reporting function of the 
host. This also occurred where a sniffer was run in parallel to the 
scanner on the same host. We suspect that collisions in the listening 
portion of the tools were causing the problems. We found this got 
worse the more layer of abstractions a result had to go through to go 
from the ethernet card to the tool gui. Therefore commandline tools on 
linux directly installed (not vmware) AND not running a gui had the 
least problems of loss when run in parallel. However, even in that 
scenario, there was still a very small number of losses when run in 

We actually do convey this to our trainers to tell their students just 
so as to avoid possible problems with accuracy.


Pete Herzog - Managing Director - pete at isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org

More information about the websecurity mailing list