[WEB SECURITY] best tool for web app scanning / pen testing

firebits mrpa.security at gmail.com
Thu Mar 7 14:29:39 EST 2013


I'm optimizing and adding more strings to LFI

/ * Strings for traversal and file disclosure tests. Should the order not be
changed * / in checks.h

but not officially informed to the creators of the project, but I'll
do that this
weekend.

+ 50 new Strings LFI

Sorry my bad english

@firebitsbr


2013/3/7 Ofer Shezaf <ofer at shezaf.com>

> Commercial scanners do that today, usually as part of their integration
> with
> a runtime element embedded in the application.
>
> ~ Ofer
>
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf
> Of Dinis Cruz
> Sent: Thursday, March 07, 2013 12:46 AM
> To: Nitin Vindhara
> Cc: websecurity at lists.webappsec.org; Phil Gmail
> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>
> If you have access to the source code of the target application, you should
> also analyse it and extract data to feed to the web scanners (for example
> all possible urls, form fields, web services, REST interfaces, etc)
>
> Dinis Cruz
>
> On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara at gmail.com> wrote:
>
> > My experience with appscan is better then and webinspect. I mean in
> > terms of identifying maximum vulnerabilities.
> >
> > However more number of false positive are reported by appscan.
> > Accunetix is better in term of less false positive.
> >
> > Burp is semi automated, but good in finding some additional
> vulnerability.
> > It can be a additional scanner, but not the only one.
> > Its main objective is as proxy not scanner.
> >
> > However support of webinspect and accunetix are found better.
> >
> > So depending of ur need and skill set you or your team have, decision
> > has to be taken.
> >
> > Also this are my personal view, this can not be fool prove.
> >
> > Regards
> > Nitin
> >
> > On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >> "Web application scanners that provide trial licenses with limiters
> >> like target domains can be circumvented by statically resolving their
> >> target domain to an IP of your choosing on the environment that you
> >> are running the scanner from."
> >>
> >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >>
> >> From: Daniel Herrera <daherrera101 at yahoo.com>
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
> >> testing
> >> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
> >> <phil at safewalls.net>
> >> Cc: "websecurity at lists.webappsec.org"
> >> <websecurity at lists.webappsec.org>
> >> Date: Wednesday, March 6, 2013, 11:06 AM
> >>
> >> Sooo... web application scanners that provide trial licenses with
> >> limiters like target domains can be circumvented by statically
> >> resolving their target domain to an IP of your choosing on the
> >> environment that you are running that application from. Note that
> >> your target application must accept arbitrary "Host" header entries.
> >>
> >> Some interesting options to look into would be:
> >>
> >> Netsparker
> >> http://www.mavitunasecurity.com/netsparker/
> >>
> >> Websecurify
> >> http://www.websecurify.com/suite
> >>
> >> Personally I don't put much faith in automated assessment utilities
> >> both open and closed source. There are a lot of common flaws and
> >> pitfalls that can negatively impact a scan and the quality of its
> output.
> >>
> >> I always recommend that people move past the tools and dig into the
> >> concepts themselves, unlike network interrogation which in my opinion
> >> has a far more finite set of test cases, application interrogation is
> >> very complex and difficult to do generically well across the myriad
> >> of implementations people come up with daily... literally. All that
> >> said, many of the paid solutions have been working on the problem for
> >> a while and they set a decent bar, hybrid solutions like Whitehat
> >> that provide managed scanning tend to perform better than their
> unmanaged
> counterparts in my opinion.
> >>
> >> /morning ramble
> >>
> >> I didn't see your original question to the list, so this is the best
> >> answer I could provide within the context of what I saw.
> >>
> >>
> >> D
> >>
> >>
> >>
> >> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
> >>
> >> From: Phil Gmail <phil at safewalls.net>
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
> >> testing
> >> To: "Zippy Zeppoli"
> >> <zippyzeppoli at gmail.com>
> >> Cc: "websecurity at lists.webappsec.org"
> >> <websecurity at lists.webappsec.org>
> >> Date: Tuesday, March 5, 2013, 6:46 PM
> >>
> >> Id recommend Burp Pro, but it is not an automated tool.
> >> Www.burpsuite.com
> >>
> >> Phil
> >> Sent from iPhone
> >> Twitter: @sec_prof
> >>
> >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
> >>
> >>> Hello,
> >>> I am looking for a solution to do web application vulnerability
> >>> scanning / testing.
> >>> IBM's rational appscan seems like a good solution, and I've used it
> >>> in the past.
> >>> The only problem seems to be the IBM part. I'm trying to engage them
> >>> for a trial license that doesn't only scan some useless webgoat, and
> >>> test it on my own app.
> >>>
> >>> I'm getting kind of dismayed with the responsiveness, so I'm
> >> wondering
> >>> if there are better *commercial* solutions out there which are ready
> >>> to go out of the box.
> >>> I'd love to use open source tools, but I don't have the time to do
> >>> the engineering part since I'm overburdened.
> >>>
> >>> Thanks for your tips.
> >>>
> >>> Z
> >>>
> >>> _______________________________________________
> >>> The Web Security Mailing List
> >>>
> >>> WebSecurity RSS Feed
> >>> http://www.webappsec.org/rss/websecurity.rss
> >>>
> >>> Join WASC on LinkedIn
> >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>>
> >>> WASC on Twitter
> >>> http://twitter.com/wascupdates
> >>>
> >>> websecurity at lists.webappsec.org
> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
> >>> sec.org
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn
> >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
> >> ec.org
> >>
> >
> >
> > --
> > Regards
> >
> > Nitin Vindhara
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
> > c.org
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130307/451dbd8f/attachment-0003.html>


More information about the websecurity mailing list