[WEB SECURITY] open source web app scanners

psiinon psiinon at gmail.com
Mon Jul 16 03:42:30 EDT 2012


Its worth having a look at the latest wavsep results:
http://sectooladdict.blogspot.co.uk/ <http://www.sectoolmarket.com/>
And if you're looking for an open source tool for detecting XSS issues then
I feel compelled to point out that OWASP ZAP came joint first in this
category with 100% detection rate and zero false positives ;)
http://www.sectoolmarket.com/reflected-cross-site-scripting-detection-accuracy-unified-list.html

Simon

On Sat, Jul 14, 2012 at 2:50 PM, Rohit Pitke <rohirp92 at yahoo.com> wrote:

> Generally open source scanners lack research and packaging commercial
> tools put together (AppScan, Hailstorm etc).
> But segregated open source tools can work at par with these tools. Some
> examples are
>
> 1. Sqlmap  : For SQL Injection
> 2. Nickto
> 3. Ratproxy/Skipfish: Descent XSS detection
>
> -Rohit
>
>   ------------------------------
> *From:* Tasos Laskos <tasos.laskos at gmail.com>
> *To:* Tom <tom.bifkin0 at gmail.com>
> *Cc:* websecurity at lists.webappsec.org
> *Sent:* Tuesday, July 10, 2012 3:28 AM
>
> *Subject:* Re: [WEB SECURITY] open source web app scanners
>
> Just as a heads up if you go with Arachni, it does have all the
> interesting stuff that Tom mentioned but has always been a bit quirky
> when pushed.
>
> I made a turn though with the under dev version and spent (and still do)
> an enormous amount of time on stability, so if you want to give it a
> shot prefer the nightly builds [1] as they are probably more stable than
> the last "stable" version.
>
> If you do go with it and come across a problem let me know, I usually
> respond fast.
>
> Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.
>
> Good luck on finding a tool that fits your needs, it may get tricky.
>
> [1] http://downloads.arachni-scanner.com/nightlies/
>
> PS. I'm the project leader.
>
> On 07/06/2012 04:42 AM, Tom wrote:
> > Not quite on par with AppScan or other current commercial products, but
> > one that's showing a lot of promise(Especially for the enterprise level)
> > is Arachni (https://github.com/Arachni/arachni).  Some interesting
> > features: distributed deployment, commandline and web interfaces, a
> > self-learning subsystem, and the ability to add custom
> > audit/crawler/report modules through Ruby. The distributed deployment
> > system is interesting because your able to distribute the load of a scan
> > across a set of servers to help increase scan performance.  You can also
> > perform separate scans on separate servers and the results will all be
> > uploaded to a single server for viewing.  It still in its infancy and
> > needs some love, but I believe it's on it's way to becoming something
> great.
> >
> > -Tom
> >
> > On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli at gmail.com
> > <mailto:zippyzeppoli at gmail.com>> wrote:
> >
> >    Hi List,
> >    I was wondering if anyone has come across a web application security
> >    scanner which is open source that is on par with IBM Rational AppScan.
> >
> >    I've come across some tools in the OWASP project but they don't even
> >    seem to come close to a too like AppScan.
> >
> >    Thanks in advance,
> >    Z
> >
> >    _______________________________________________
> >    The Web Security Mailing List
> >
> >    WebSecurity RSS Feed
> >    http://www.webappsec.org/rss/websecurity.rss
> >
> >    Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> >    WASC on Twitter
> >    http://twitter.com/wascupdates
> >
> >    websecurity at lists.webappsec.org <mailto:
> websecurity at lists.webappsec.org>
> >
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
> >
> >
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> >
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>


-- 
OWASP ZAP: Toolsmith Tool of the Year
2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120716/6b268368/attachment-0003.html>


More information about the websecurity mailing list