[WEB SECURITY] best tool for web app scanning / pen testing

Prasad Shenoy prasad.shenoy at gmail.com
Wed Mar 6 16:26:51 EST 2013


I love Skipfish too but Zippy said no "engineering". The word "Cygwin" might scare him away or so I thought.....(I am only joking Zippy!)

PS

On Mar 6, 2013, at 4:09 PM, firebits <mrpa.security at gmail.com> wrote:

> FYI
> 
> http://code.google.com/p/skipfish/
> 
> It is very fast, consumes little memory and causes 2000 requests per second, but has no GUI, for example, is only parameters.
> 
> I prefer so fast.
> 
> @firebitsbr
> 
> 
> 2013/3/6 Nitin Vindhara <nitin.vindhara at gmail.com>
>> My experience with appscan is better then and webinspect. I mean in
>> terms of identifying maximum vulnerabilities.
>> 
>> However more number of false positive are reported by appscan.
>> Accunetix is better in term of less false positive.
>> 
>> Burp is semi automated, but good in finding some additional vulnerability.
>> It can be a additional scanner, but not the only one.
>> Its main objective is as proxy not scanner.
>> 
>> However support of webinspect and accunetix are found better.
>> 
>> So depending of ur need and skill set you or your team have, decision
>> has to be taken.
>> 
>> Also this are my personal view, this can not be fool prove.
>> 
>> Regards
>> Nitin
>> 
>> On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>> > "Web application scanners that provide trial licenses with limiters like
>> > target domains can be circumvented by statically resolving their target
>> > domain to an IP of your choosing on the environment that you are running
>> >  the scanner from."
>> >
>> > --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>> >
>> > From: Daniel Herrera <daherrera101 at yahoo.com>
>> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>> > To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
>> > <phil at safewalls.net>
>> > Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
>> > Date: Wednesday, March 6, 2013, 11:06 AM
>> >
>> > Sooo... web application scanners that provide trial licenses with limiters
>> > like target domains can be circumvented by statically resolving their target
>> > domain to an IP of your choosing on the environment that you are running
>> > that application from. Note that your target application must accept
>> > arbitrary "Host" header entries.
>> >
>> > Some interesting options to look into would be:
>> >
>> > Netsparker
>> > http://www.mavitunasecurity.com/netsparker/
>> >
>> > Websecurify
>> > http://www.websecurify.com/suite
>> >
>> > Personally I don't put much faith in automated assessment utilities both
>> > open and closed source. There are a lot of common flaws and pitfalls that
>> > can negatively impact a scan and the quality of its output.
>> >
>> > I always recommend that people move past the tools and dig into the concepts
>> > themselves, unlike network interrogation which in my opinion has a far
>> >  more finite set of test cases, application interrogation is very complex
>> > and difficult to do generically well across the myriad of implementations
>> > people come up with daily... literally. All that said, many of the paid
>> > solutions have been working on the problem for a while and they set a decent
>> > bar, hybrid solutions like Whitehat that provide managed scanning tend to
>> > perform better than their unmanaged counterparts in my opinion.
>> >
>> > /morning ramble
>> >
>> > I didn't see your original question to the list, so this is the best answer
>> > I could provide within the context of what I saw.
>> >
>> >
>> > D
>> >
>> >
>> >
>> > --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
>> >
>> > From: Phil Gmail <phil at safewalls.net>
>> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>> > To: "Zippy Zeppoli"
>> >  <zippyzeppoli at gmail.com>
>> > Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>
>> > Date: Tuesday, March 5, 2013, 6:46 PM
>> >
>> > Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com
>> >
>> > Phil
>> > Sent from iPhone
>> > Twitter: @sec_prof
>> >
>> > On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
>> >
>> >> Hello,
>> >> I am looking for a solution to do web application vulnerability
>> >> scanning / testing.
>> >> IBM's rational appscan seems like a good solution, and I've used it in the
>> >> past.
>> >> The only problem seems to be the IBM part. I'm trying to engage them
>> >> for a trial license that doesn't only scan some useless webgoat, and
>> >> test it on my own app.
>> >>
>> >> I'm getting kind of dismayed with the responsiveness, so I'm
>> >  wondering
>> >> if there are better *commercial* solutions out there which are ready
>> >> to go out of the box.
>> >> I'd love to use open source tools, but I don't have the time to do the
>> >> engineering part since I'm overburdened.
>> >>
>> >> Thanks for your tips.
>> >>
>> >> Z
>> >>
>> >> _______________________________________________
>> >> The Web Security Mailing List
>> >>
>> >> WebSecurity RSS Feed
>> >> http://www.webappsec.org/rss/websecurity.rss
>> >>
>> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> >>
>> >> WASC on Twitter
>> >> http://twitter.com/wascupdates
>> >>
>> >> websecurity at lists.webappsec.org
>> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> >
>> > _______________________________________________
>> > The Web Security Mailing List
>> >
>> > WebSecurity RSS Feed
>> > http://www.webappsec.org/rss/websecurity.rss
>> >
>> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> >
>> > WASC on Twitter
>> > http://twitter.com/wascupdates
>> >
>> > websecurity at lists.webappsec.org
>> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> >
>> 
>> 
>> --
>> Regards
>> 
>> Nitin Vindhara
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130306/64f0f9bc/attachment-0003.html>


More information about the websecurity mailing list