[WEB SECURITY] best tool for web app scanning / pen testing

Daniel Herrera daherrera101 at yahoo.com
Wed Mar 6 16:29:33 EST 2013


+1 Skipfish

Love the utility, props to Zalewski for writing some great freeware.

--- On Wed, 3/6/13, firebits <mrpa.security at gmail.com> wrote:

From: firebits <mrpa.security at gmail.com>
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
To: "Nitin Vindhara" <nitin.vindhara at gmail.com>
Cc: "Daniel Herrera" <daherrera101 at yahoo.com>, "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>, "Phil Gmail" <phil at safewalls.net>, "Mauro Risonho de Paula Assumpção" <mrpa.security at gmail.com>
Date: Wednesday, March 6, 2013, 1:09 PM

FYI

http://code.google.com/p/skipfish/

It is very fast, consumes little memory and causes 2000 requests per second, but has no GUI, for example, is only parameters.


I prefer so fast.

@firebitsbr


2013/3/6 Nitin Vindhara <nitin.vindhara at gmail.com>

My experience with appscan is better then and webinspect. I mean in

terms of identifying maximum vulnerabilities.



However more number of false positive are reported by appscan.

Accunetix is better in term of less false positive.



Burp is semi automated, but good in finding some additional vulnerability.

It can be a additional scanner, but not the only one.

Its main objective is as proxy not scanner.



However support of webinspect and accunetix are found better.



So depending of ur need and skill set you or your team have, decision

has to be taken.



Also this are my personal view, this can not be fool prove.



Regards

Nitin



On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:

> "Web application scanners that provide trial licenses with limiters like

> target domains can be circumvented by statically resolving their target

> domain to an IP of your choosing on the environment that you are running

>  the scanner from."

>

> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:

>

> From: Daniel Herrera <daherrera101 at yahoo.com>

> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing

> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"

> <phil at safewalls.net>

> Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>

> Date: Wednesday, March 6, 2013, 11:06 AM

>

> Sooo... web application scanners that provide trial licenses with limiters

> like target domains can be circumvented by statically resolving their target

> domain to an IP of your choosing on the environment that you are running

> that application from. Note that your target application must accept

> arbitrary "Host" header entries.

>

> Some interesting options to look into would be:

>

> Netsparker

> http://www.mavitunasecurity.com/netsparker/

>

> Websecurify

> http://www.websecurify.com/suite

>

> Personally I don't put much faith in automated assessment utilities both

> open and closed source. There are a lot of common flaws and pitfalls that

> can negatively impact a scan and the quality of its output.

>

> I always recommend that people move past the tools and dig into the concepts

> themselves, unlike network interrogation which in my opinion has a far

>  more finite set of test cases, application interrogation is very complex

> and difficult to do generically well across the myriad of implementations

> people come up with daily... literally. All that said, many of the paid

> solutions have been working on the problem for a while and they set a decent

> bar, hybrid solutions like Whitehat that provide managed scanning tend to

> perform better than their unmanaged counterparts in my opinion.

>

> /morning ramble

>

> I didn't see your original question to the list, so this is the best answer

> I could provide within the context of what I saw.

>

>

> D

>

>

>

> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:

>

> From: Phil Gmail <phil at safewalls.net>

> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing

> To: "Zippy Zeppoli"

>  <zippyzeppoli at gmail.com>

> Cc: "websecurity at lists.webappsec.org" <websecurity at lists.webappsec.org>

> Date: Tuesday, March 5, 2013, 6:46 PM

>

> Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com

>

> Phil

> Sent from iPhone

> Twitter: @sec_prof

>

> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:

>

>> Hello,

>> I am looking for a solution to do web application vulnerability

>> scanning / testing.

>> IBM's rational appscan seems like a good solution, and I've used it in the

>> past.

>> The only problem seems to be the IBM part. I'm trying to engage them

>> for a trial license that doesn't only scan some useless webgoat, and

>> test it on my own app.

>>

>> I'm getting kind of dismayed with the responsiveness, so I'm

>  wondering

>> if there are better *commercial* solutions out there which are ready

>> to go out of the box.

>> I'd love to use open source tools, but I don't have the time to do the

>> engineering part since I'm overburdened.

>>

>> Thanks for your tips.

>>

>> Z

>>

>> _______________________________________________

>> The Web Security Mailing List

>>

>> WebSecurity RSS Feed

>> http://www.webappsec.org/rss/websecurity.rss

>>

>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

>>

>> WASC on Twitter

>> http://twitter.com/wascupdates

>>

>> websecurity at lists.webappsec.org

>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

>

> _______________________________________________

> The Web Security Mailing List

>

> WebSecurity RSS Feed

> http://www.webappsec.org/rss/websecurity.rss

>

> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

>

> WASC on Twitter

> http://twitter.com/wascupdates

>

> websecurity at lists.webappsec.org

> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

>





--

Regards



Nitin Vindhara



_______________________________________________

The Web Security Mailing List



WebSecurity RSS Feed

http://www.webappsec.org/rss/websecurity.rss



Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA



WASC on Twitter

http://twitter.com/wascupdates



websecurity at lists.webappsec.org

http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130306/f45a90ca/attachment-0003.html>


More information about the websecurity mailing list