[WEB SECURITY] open source web app scanners

Jason Drury druryjason at yahoo.com
Tue Jul 17 09:47:37 EDT 2012


I have been using the commercial edition of Burp for 3 years and have been very happy with it. It is very cheap ($300/year) compared to other commercial products and it is fast, stable, and accurate (IMO).

Before I renewed Burp last time I looked at ZAP, w3af, and Arachni to check if any of them would allow me to replace Burp. I really liked Arachni but I had some stability issues. ZAP was a close second behind Arachni and w3af is a great tool, but it is massive and difficult to navigate. Sounds like all three are being actively developed so it will be interesting when I review them again this year.


________________________________
 From: Tasos Laskos <tasos.laskos at gmail.com>
To: Tom <tom.bifkin0 at gmail.com> 
Cc: websecurity at lists.webappsec.org 
Sent: Monday, July 9, 2012 4:58 PM
Subject: Re: [WEB SECURITY] open source web app scanners
 
Just as a heads up if you go with Arachni, it does have all the 
interesting stuff that Tom mentioned but has always been a bit quirky 
when pushed.

I made a turn though with the under dev version and spent (and still do) 
an enormous amount of time on stability, so if you want to give it a 
shot prefer the nightly builds [1] as they are probably more stable than 
the last "stable" version.

If you do go with it and come across a problem let me know, I usually 
respond fast.

Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.

Good luck on finding a tool that fits your needs, it may get tricky.

[1] http://downloads.arachni-scanner.com/nightlies/

PS. I'm the project leader.

On 07/06/2012 04:42 AM, Tom wrote:
> Not quite on par with AppScan or other current commercial products, but
> one that's showing a lot of promise(Especially for the enterprise level)
> is Arachni (https://github.com/Arachni/arachni).  Some interesting
> features: distributed deployment, commandline and web interfaces, a
> self-learning subsystem, and the ability to add custom
> audit/crawler/report modules through Ruby. The distributed deployment
> system is interesting because your able to distribute the load of a scan
> across a set of servers to help increase scan performance.  You can also
> perform separate scans on separate servers and the results will all be
> uploaded to a single server for viewing.  It still in its infancy and
> needs some love, but I believe it's on it's way to becoming something great.
>
> -Tom
>
> On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli at gmail.com
> <mailto:zippyzeppoli at gmail.com>> wrote:
>
>     Hi List,
>     I was wondering if anyone has come across a web application security
>     scanner which is open source that is on par with IBM Rational AppScan.
>
>     I've come across some tools in the OWASP project but they don't even
>     seem to come close to a too like AppScan.
>
>     Thanks in advance,
>     Z
>
>     _______________________________________________
>     The Web Security Mailing List
>
>     WebSecurity RSS Feed
>    http://www.webappsec.org/rss/websecurity.rss
>
>     Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>     WASC on Twitter
>    http://twitter.com/wascupdates
>
>    websecurity at lists.webappsec.org <mailto:websecurity at lists.webappsec.org>
>    http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity at lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120717/c78fa7cc/attachment-0003.html>


More information about the websecurity mailing list