[WEB SECURITY] open source web app scanners

Rohit Pitke rohirp92 at yahoo.com
Sat Jul 14 09:50:53 EDT 2012


Generally open source scanners lack research and packaging commercial tools put together (AppScan, Hailstorm etc).
But segregated open source tools can work at par with these tools. Some examples are

1. Sqlmap  : For SQL Injection
2. Nickto 
3. Ratproxy/Skipfish: Descent XSS detection

-Rohit


________________________________
 From: Tasos Laskos <tasos.laskos at gmail.com>
To: Tom <tom.bifkin0 at gmail.com> 
Cc: websecurity at lists.webappsec.org 
Sent: Tuesday, July 10, 2012 3:28 AM
Subject: Re: [WEB SECURITY] open source web app scanners
 
Just as a heads up if you go with Arachni, it does have all the 
interesting stuff that Tom mentioned but has always been a bit quirky 
when pushed.

I made a turn though with the under dev version and spent (and still do) 
an enormous amount of time on stability, so if you want to give it a 
shot prefer the nightly builds [1] as they are probably more stable than 
the last "stable" version.

If you do go with it and come across a problem let me know, I usually 
respond fast.

Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.

Good luck on finding a tool that fits your needs, it may get tricky.

[1] http://downloads.arachni-scanner.com/nightlies/

PS. I'm the project leader.

On 07/06/2012 04:42 AM, Tom wrote:
> Not quite on par with AppScan or other current commercial products, but
> one that's showing a lot of promise(Especially for the enterprise level)
> is Arachni (https://github.com/Arachni/arachni).  Some interesting
> features: distributed deployment, commandline and web interfaces, a
> self-learning subsystem, and the ability to add custom
> audit/crawler/report modules through Ruby. The distributed deployment
> system is interesting because your able to distribute the load of a scan
> across a set of servers to help increase scan performance.  You can also
> perform separate scans on separate servers and the results will all be
> uploaded to a single server for viewing.  It still in its infancy and
> needs some love, but I believe it's on it's way to becoming something great.
>
> -Tom
>
> On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli at gmail.com
> <mailto:zippyzeppoli at gmail.com>> wrote:
>
>     Hi List,
>     I was wondering if anyone has come across a web application security
>     scanner which is open source that is on par with IBM Rational AppScan.
>
>     I've come across some tools in the OWASP project but they don't even
>     seem to come close to a too like AppScan.
>
>     Thanks in advance,
>     Z
>
>     _______________________________________________
>     The Web Security Mailing List
>
>     WebSecurity RSS Feed
>     http://www.webappsec.org/rss/websecurity.rss
>
>     Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>     WASC on Twitter
>     http://twitter.com/wascupdates
>
>    websecurity at lists.webappsec.org <mailto:websecurity at lists.webappsec.org>
>     http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120714/43f9b478/attachment-0003.html>


More information about the websecurity mailing list