[WEB SECURITY] best tool for web app scanning / pen testing

Prasad Shenoy prasad.shenoy at gmail.com
Wed Mar 6 08:04:30 EST 2013


What exactly do you mean by engineering? Do you have a non-standard web application protocol scheme or authentication scheme that you suspect might need some workarounds? If so, you need to be more specific. From your email, I get an impression that all you want to do is run a web app scan and generate a report of potential vulnerabilities to be used by other downstream processes (risk, audit, compliance). If that be the case, you can very well use ZAP. The auditors should recognize OWASP by its name and ZAP by its affiliation to OWASP. Commercial tools won't buy you much for all the chasing you will have to do to get a trial license with no IP/Domain restrictions on the scans. 

ZAP is pretty intuitive. It took me more efforts to write this email than it takes to get ZAP up and running. 

ZAP is as out of the box as any tool can get if all you need to do is run application vulnerability scanning/testing in general, as you said in your email.

1. Download and Install Zap - 3 mins (depending on your n/w connection)
2. Configure IE to run through the proxy - 1 min
3. Sit back with a hot cup of Chai Tea Latte and watch ZAP do its magic - Priceless

Warning: No engineering needed

Note: 
If you do want to get specific and kind of dig deep into stuff only then you might have to deal with the engineering side of things but that's not too bad either :)

Try it! Free run on me :)

PS

On Mar 5, 2013, at 8:53 PM, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:

> Hello,
> I am looking for a solution to do web application vulnerability
> scanning / testing.
> IBM's rational appscan seems like a good solution, and I've used it in the past.
> The only problem seems to be the IBM part. I'm trying to engage them
> for a trial license that doesn't only scan some useless webgoat, and
> test it on my own app.
> 
> I'm getting kind of dismayed with the responsiveness, so I'm wondering
> if there are better *commercial* solutions out there which are ready
> to go out of the box.
> I'd love to use open source tools, but I don't have the time to do the
> engineering part since I'm overburdened.
> 
> Thanks for your tips.
> 
> Z
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list