[WEB SECURITY] best tool for web app scanning / pen testing

psiinon psiinon at gmail.com
Wed Mar 6 06:31:41 EST 2013


Hi Zippy,

I'm intrigued by your reluctance to use open source tools.
You seem to want a simple solution that just works out of the box.
I'd be surprised if you can find anything like that - I think all web app
scanners (commercial and open source) need some configuration to get the
most out of them.

I cant talk for any other tools, but ZAP is easy to install, and you can
perform a 'quick' scan by just entering a URL and pressing a button.
However you will need to perform more configuration in order to handle
authentication and tune to ZAP to work as effectively as possible with your
apps.
Not sure if you count that as 'engineering' ;)
If you do decide to give it a go you'll hopefully find that if you do have
any problems then any questions asked on our user group will get quick and
useful replies:)

Cheers,

Simon (ZAP project lead)


On Wed, Mar 6, 2013 at 9:20 AM, Vernon Jones <Vernon.Jones at derivco.com>wrote:

> Hey Z
>
>
> For commercial tools you can try one of the following
>
> H Fortify Web inspect -
> http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991
>
> Acunetix - www.acunetix.com
>
>
> For Open source you can try one of the following
>
> OWASP ZED Proxy with build in Scanner for OWASP top 10 -
> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
>
>
> CAT Proxy - http://www.contextis.com/research/tools/cat/
>
> Hope this helps dude
>
> V
>
>
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf Of Zippy Zeppoli
> Sent: 06 March 2013 03:54 AM
> To: websecurity at lists.webappsec.org
> Subject: [WEB SECURITY] best tool for web app scanning / pen testing
>
> Hello,
> I am looking for a solution to do web application vulnerability scanning /
> testing.
> IBM's rational appscan seems like a good solution, and I've used it in the
> past.
> The only problem seems to be the IBM part. I'm trying to engage them for a
> trial license that doesn't only scan some useless webgoat, and test it on
> my own app.
>
> I'm getting kind of dismayed with the responsiveness, so I'm wondering if
> there are better *commercial* solutions out there which are ready to go out
> of the box.
> I'd love to use open source tools, but I don't have the time to do the
> engineering part since I'm overburdened.
>
> Thanks for your tips.
>
> Z
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
> #############################################################################################
> The information transmitted is intended only for the person or entity to
> which it
> is addressed and may contain confidential and/or privileged material.
> Any review, retransmission, dissemination or other use of, or taking of
> any action
> in reliance upon, this information by persons or entities other than the
> intended
> recipient is prohibited. If you received this in error, please contact the
> sender and
> delete the material from any computer.
>
> Furthermore, the information contained in this message, and any
> attachments thereto, is
> for information purposes only and may contain the personal views and
> opinions of the
> author, which are not necessarily the views and opinions of the company.
>
> #############################################################################################
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130306/ee663875/attachment-0003.html>


More information about the websecurity mailing list