[WEB SECURITY] best tool for web app scanning / pen testing

firebits mrpa.security at gmail.com
Wed Mar 6 16:09:43 EST 2013


FYI

http://code.google.com/p/skipfish/

It is very fast, consumes little memory and causes 2000 requests per second,
but has no GUI, for example, is only parameters.

I prefer so fast.

@firebitsbr


2013/3/6 Nitin Vindhara <nitin.vindhara at gmail.com>

> My experience with appscan is better then and webinspect. I mean in
> terms of identifying maximum vulnerabilities.
>
> However more number of false positive are reported by appscan.
> Accunetix is better in term of less false positive.
>
> Burp is semi automated, but good in finding some additional vulnerability.
> It can be a additional scanner, but not the only one.
> Its main objective is as proxy not scanner.
>
> However support of webinspect and accunetix are found better.
>
> So depending of ur need and skill set you or your team have, decision
> has to be taken.
>
> Also this are my personal view, this can not be fool prove.
>
> Regards
> Nitin
>
> On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> > "Web application scanners that provide trial licenses with limiters like
> > target domains can be circumvented by statically resolving their target
> > domain to an IP of your choosing on the environment that you are running
> >  the scanner from."
> >
> > --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >
> > From: Daniel Herrera <daherrera101 at yahoo.com>
> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
> > To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
> > <phil at safewalls.net>
> > Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
> > Date: Wednesday, March 6, 2013, 11:06 AM
> >
> > Sooo... web application scanners that provide trial licenses with
> limiters
> > like target domains can be circumvented by statically resolving their
> target
> > domain to an IP of your choosing on the environment that you are running
> > that application from. Note that your target application must accept
> > arbitrary "Host" header entries.
> >
> > Some interesting options to look into would be:
> >
> > Netsparker
> > http://www.mavitunasecurity.com/netsparker/
> >
> > Websecurify
> > http://www.websecurify.com/suite
> >
> > Personally I don't put much faith in automated assessment utilities both
> > open and closed source. There are a lot of common flaws and pitfalls that
> > can negatively impact a scan and the quality of its output.
> >
> > I always recommend that people move past the tools and dig into the
> concepts
> > themselves, unlike network interrogation which in my opinion has a far
> >  more finite set of test cases, application interrogation is very complex
> > and difficult to do generically well across the myriad of implementations
> > people come up with daily... literally. All that said, many of the paid
> > solutions have been working on the problem for a while and they set a
> decent
> > bar, hybrid solutions like Whitehat that provide managed scanning tend to
> > perform better than their unmanaged counterparts in my opinion.
> >
> > /morning ramble
> >
> > I didn't see your original question to the list, so this is the best
> answer
> > I could provide within the context of what I saw.
> >
> >
> > D
> >
> >
> >
> > --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
> >
> > From: Phil Gmail <phil at safewalls.net>
> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
> > To: "Zippy Zeppoli"
> >  <zippyzeppoli at gmail.com>
> > Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
> > Date: Tuesday, March 5, 2013, 6:46 PM
> >
> > Id recommend Burp Pro, but it is not an automated tool.
> Www.burpsuite.com
> >
> > Phil
> > Sent from iPhone
> > Twitter: @sec_prof
> >
> > On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
> >
> >> Hello,
> >> I am looking for a solution to do web application vulnerability
> >> scanning / testing.
> >> IBM's rational appscan seems like a good solution, and I've used it in
> the
> >> past.
> >> The only problem seems to be the IBM part. I'm trying to engage them
> >> for a trial license that doesn't only scan some useless webgoat, and
> >> test it on my own app.
> >>
> >> I'm getting kind of dismayed with the responsiveness, so I'm
> >  wondering
> >> if there are better *commercial* solutions out there which are ready
> >> to go out of the box.
> >> I'd love to use open source tools, but I don't have the time to do the
> >> engineering part since I'm overburdened.
> >>
> >> Thanks for your tips.
> >>
> >> Z
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> >
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >
>
>
> --
> Regards
>
> Nitin Vindhara
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130306/e1d1b82b/attachment-0003.html>


More information about the websecurity mailing list