[WEB SECURITY] best tool for web app scanning / pen testing

The Dead th3d34d at gmail.com
Thu Mar 7 21:25:58 EST 2013


Check this:

http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html



On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote:
> Every once in a while someone posts this questions about "best tool for web
> app scanning" and we as a community get into the same kind of discussion
> only to agree to agree or agree to disagree at the end.
>
> I don't believe any of this helps the person asking the question by whatever
> intent possible. If anything, the technological gibberish (pardon me) only
> adds to more FUD around the mind of someone trying to get a straight answer
> to a straightforward question.
>
> /evening rant
>
> PS
>
> On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" <ofer at shezaf.com> wrote:
>
> Humor aside, I think we are very much in agreement. Even the best of tools
> will not replace humans.
>
> The issue is that I think tools should be evaluated, at least in most cases,
> based on how they empower the average and not very experienced app sec guy
> rather than how lethal they are in the hand of the master.
>
> ~ Ofer
>
> From: Andre Gironda [mailto:andreg at gmail.com]
> Sent: Thursday, March 07, 2013 10:28 PM
> To: Ofer Shezaf
> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil Gmail
> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>
>
> Ofer,
>
> It's just that most Unixes come with either wget or curl right from the
> start. You'd have to install Powershell to get anything equivalent on
> Windows, unless you were already a developer who had your own HTTP/TLS
> clients written in a certain language, such as .NET (which could also be
> ported to Unix with Mono).
>
> Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
> pen testing platform across the world. How could you say it's just me?
>
> There are many open-source tools, libraries, frameworks, and testing
> platforms, especially built around Unix platforms. During a pen test, it's
> about combining those things together -- to which I haven't seen a good
> commercial library or framework in the web app pen space.
>
> There are some commercial tools that can be used by pen-testers in the
> Enterprise workflow for application security risk management purposes. For
> example, I like to get all of my findings into Burp Suite Professional so
> that I can submit them to Fortify Software Security Center. Note that I work
> for HP, so I may come across Fortify SSC more often than this audience.
>
> By no means should you assume that myself or anyone who does web app pen for
> HP or any company uses only those tools. I am literally saying here that all
> tools are relevant and have purpose when dealing with appsec. If you want to
> present your findings to an information security team, directors, or C-level
> executives trying to make decisions around appsec risk management issues,
> then there are few commercial portal offerings to aid in that effort.
> Application security risk management portals are critical path to instill
> inside a large-installation organization.
>
> In other words, it's not "which tools" you need "to buy", but more "what
> skillsets do you need to find the issues and can those skills match up to
> the requirements necessary to report/understand/mediate those issues?". The
> answer to the skillsets is usually either a Unix person, or an appdev who
> has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
> Would you say it's easier to find/educate a Unix person or a specific-domain
> appdev?
>
>
> dre
>
> On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>
> I gave it a try. I SSHed to the first Unix machine I could find. I stared at
> the prompt. It stared at me. Alas, no application vulnerability surfaced out
> from the black surface.
>
> What you really say is that Unix + Andre is the best tool. I accept that.
> The only issue is that Andre is a very scarce resource (approximately 1 in 7
> billion in the sample population).
>
> ~ Ofer
>
> From: Andre Gironda [mailto:andreg at gmail.com]
> Sent: Thursday, March 07, 2013 8:37 PM
> To: Ofer Shezaf
> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil Gmail
>
> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>
> I like to pick up a new tool every time I need to do something with web apps
> or pen-testing. Or pick up a new way to write an HTTP client in a different
> language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
> data are.
>
> Therefore, I have concluded that the best tool for web app scanning / pen
> testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
> Cygwin. They'll all do. ;>
>
> dre
>
>
>
>
> On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>
> Commercial scanners do that today, usually as part of their integration with
> a runtime element embedded in the application.
>
> ~ Ofer
>
> -----Original Message-----
> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf
> Of Dinis Cruz
> Sent: Thursday, March 07, 2013 12:46 AM
> To: Nitin Vindhara
> Cc: websecurity at lists.webappsec.org; Phil Gmail
> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>
> If you have access to the source code of the target application, you should
> also analyse it and extract data to feed to the web scanners (for example
> all possible urls, form fields, web services, REST interfaces, etc)
>
> Dinis Cruz
>
> On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara at gmail.com> wrote:
>
>> My experience with appscan is better then and webinspect. I mean in
>> terms of identifying maximum vulnerabilities.
>>
>> However more number of false positive are reported by appscan.
>> Accunetix is better in term of less false positive.
>>
>> Burp is semi automated, but good in finding some additional vulnerability.
>> It can be a additional scanner, but not the only one.
>> Its main objective is as proxy not scanner.
>>
>> However support of webinspect and accunetix are found better.
>>
>> So depending of ur need and skill set you or your team have, decision
>> has to be taken.
>>
>> Also this are my personal view, this can not be fool prove.
>>
>> Regards
>> Nitin
>>
>> On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>>> "Web application scanners that provide trial licenses with limiters
>>> like target domains can be circumvented by statically resolving their
>>> target domain to an IP of your choosing on the environment that you
>>> are running the scanner from."
>>>
>>> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>>>
>>> From: Daniel Herrera <daherrera101 at yahoo.com>
>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
>>> testing
>>> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
>>> <phil at safewalls.net>
>>> Cc: "websecurity at lists.webappsec.org"
>>> <websecurity at lists.webappsec.org>
>>> Date: Wednesday, March 6, 2013, 11:06 AM
>>>
>>> Sooo... web application scanners that provide trial licenses with
>>> limiters like target domains can be circumvented by statically
>>> resolving their target domain to an IP of your choosing on the
>>> environment that you are running that application from. Note that
>>> your target application must accept arbitrary "Host" header entries.
>>>
>>> Some interesting options to look into would be:
>>>
>>> Netsparker
>>> http://www.mavitunasecurity.com/netsparker/
>>>
>>> Websecurify
>>> http://www.websecurify.com/suite
>>>
>>> Personally I don't put much faith in automated assessment utilities
>>> both open and closed source. There are a lot of common flaws and
>>> pitfalls that can negatively impact a scan and the quality of its output.
>>>
>>> I always recommend that people move past the tools and dig into the
>>> concepts themselves, unlike network interrogation which in my opinion
>>> has a far more finite set of test cases, application interrogation is
>>> very complex and difficult to do generically well across the myriad
>>> of implementations people come up with daily... literally. All that
>>> said, many of the paid solutions have been working on the problem for
>>> a while and they set a decent bar, hybrid solutions like Whitehat
>>> that provide managed scanning tend to perform better than their unmanaged
> counterparts in my opinion.
>>>
>>> /morning ramble
>>>
>>> I didn't see your original question to the list, so this is the best
>>> answer I could provide within the context of what I saw.
>>>
>>>
>>> D
>>>
>>>
>>>
>>> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
>>>
>>> From: Phil Gmail <phil at safewalls.net>
>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
>>> testing
>>> To: "Zippy Zeppoli"
>>> <zippyzeppoli at gmail.com>
>>> Cc: "websecurity at lists.webappsec.org"
>>> <websecurity at lists.webappsec.org>
>>> Date: Tuesday, March 5, 2013, 6:46 PM
>>>
>>> Id recommend Burp Pro, but it is not an automated tool.
>>> Www.burpsuite.com
>>>
>>> Phil
>>> Sent from iPhone
>>> Twitter: @sec_prof
>>>
>>> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
>>>
>>>> Hello,
>>>> I am looking for a solution to do web application vulnerability
>>>> scanning / testing.
>>>> IBM's rational appscan seems like a good solution, and I've used it
>>>> in the past.
>>>> The only problem seems to be the IBM part. I'm trying to engage them
>>>> for a trial license that doesn't only scan some useless webgoat, and
>>>> test it on my own app.
>>>>
>>>> I'm getting kind of dismayed with the responsiveness, so I'm
>>> wondering
>>>> if there are better *commercial* solutions out there which are ready
>>>> to go out of the box.
>>>> I'd love to use open source tools, but I don't have the time to do
>>>> the engineering part since I'm overburdened.
>>>>
>>>> Thanks for your tips.
>>>>
>>>> Z
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn
>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
>>>> sec.org
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn
>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
>>> ec.org
>>>
>>
>>
>> --
>> Regards
>>
>> Nitin Vindhara
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
>> c.org
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list