[WEB SECURITY] best tool for web app scanning / pen testing

Prasad Shenoy prasad.shenoy at gmail.com
Thu Mar 7 21:35:08 EST 2013


Thanks! I am sure Zippy will find this helpful.

PS

On Mar 7, 2013, at 9:25 PM, The Dead <th3d34d at gmail.com> wrote:

> Check this:
> 
> http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
> 
> 
> 
> On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote:
>> Every once in a while someone posts this questions about "best tool for web
>> app scanning" and we as a community get into the same kind of discussion
>> only to agree to agree or agree to disagree at the end.
>> 
>> I don't believe any of this helps the person asking the question by whatever
>> intent possible. If anything, the technological gibberish (pardon me) only
>> adds to more FUD around the mind of someone trying to get a straight answer
>> to a straightforward question.
>> 
>> /evening rant
>> 
>> PS
>> 
>> On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" <ofer at shezaf.com> wrote:
>> 
>> Humor aside, I think we are very much in agreement. Even the best of tools
>> will not replace humans.
>> 
>> The issue is that I think tools should be evaluated, at least in most cases,
>> based on how they empower the average and not very experienced app sec guy
>> rather than how lethal they are in the hand of the master.
>> 
>> ~ Ofer
>> 
>> From: Andre Gironda [mailto:andreg at gmail.com]
>> Sent: Thursday, March 07, 2013 10:28 PM
>> To: Ofer Shezaf
>> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil Gmail
>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>> 
>> 
>> Ofer,
>> 
>> It's just that most Unixes come with either wget or curl right from the
>> start. You'd have to install Powershell to get anything equivalent on
>> Windows, unless you were already a developer who had your own HTTP/TLS
>> clients written in a certain language, such as .NET (which could also be
>> ported to Unix with Mono).
>> 
>> Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
>> pen testing platform across the world. How could you say it's just me?
>> 
>> There are many open-source tools, libraries, frameworks, and testing
>> platforms, especially built around Unix platforms. During a pen test, it's
>> about combining those things together -- to which I haven't seen a good
>> commercial library or framework in the web app pen space.
>> 
>> There are some commercial tools that can be used by pen-testers in the
>> Enterprise workflow for application security risk management purposes. For
>> example, I like to get all of my findings into Burp Suite Professional so
>> that I can submit them to Fortify Software Security Center. Note that I work
>> for HP, so I may come across Fortify SSC more often than this audience.
>> 
>> By no means should you assume that myself or anyone who does web app pen for
>> HP or any company uses only those tools. I am literally saying here that all
>> tools are relevant and have purpose when dealing with appsec. If you want to
>> present your findings to an information security team, directors, or C-level
>> executives trying to make decisions around appsec risk management issues,
>> then there are few commercial portal offerings to aid in that effort.
>> Application security risk management portals are critical path to instill
>> inside a large-installation organization.
>> 
>> In other words, it's not "which tools" you need "to buy", but more "what
>> skillsets do you need to find the issues and can those skills match up to
>> the requirements necessary to report/understand/mediate those issues?". The
>> answer to the skillsets is usually either a Unix person, or an appdev who
>> has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
>> Would you say it's easier to find/educate a Unix person or a specific-domain
>> appdev?
>> 
>> 
>> dre
>> 
>> On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>> 
>> I gave it a try. I SSHed to the first Unix machine I could find. I stared at
>> the prompt. It stared at me. Alas, no application vulnerability surfaced out
>> from the black surface.
>> 
>> What you really say is that Unix + Andre is the best tool. I accept that.
>> The only issue is that Andre is a very scarce resource (approximately 1 in 7
>> billion in the sample population).
>> 
>> ~ Ofer
>> 
>> From: Andre Gironda [mailto:andreg at gmail.com]
>> Sent: Thursday, March 07, 2013 8:37 PM
>> To: Ofer Shezaf
>> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil Gmail
>> 
>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>> 
>> I like to pick up a new tool every time I need to do something with web apps
>> or pen-testing. Or pick up a new way to write an HTTP client in a different
>> language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
>> data are.
>> 
>> Therefore, I have concluded that the best tool for web app scanning / pen
>> testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
>> Cygwin. They'll all do. ;>
>> 
>> dre
>> 
>> 
>> 
>> 
>> On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>> 
>> Commercial scanners do that today, usually as part of their integration with
>> a runtime element embedded in the application.
>> 
>> ~ Ofer
>> 
>> -----Original Message-----
>> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf
>> Of Dinis Cruz
>> Sent: Thursday, March 07, 2013 12:46 AM
>> To: Nitin Vindhara
>> Cc: websecurity at lists.webappsec.org; Phil Gmail
>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>> 
>> If you have access to the source code of the target application, you should
>> also analyse it and extract data to feed to the web scanners (for example
>> all possible urls, form fields, web services, REST interfaces, etc)
>> 
>> Dinis Cruz
>> 
>> On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara at gmail.com> wrote:
>> 
>>> My experience with appscan is better then and webinspect. I mean in
>>> terms of identifying maximum vulnerabilities.
>>> 
>>> However more number of false positive are reported by appscan.
>>> Accunetix is better in term of less false positive.
>>> 
>>> Burp is semi automated, but good in finding some additional vulnerability.
>>> It can be a additional scanner, but not the only one.
>>> Its main objective is as proxy not scanner.
>>> 
>>> However support of webinspect and accunetix are found better.
>>> 
>>> So depending of ur need and skill set you or your team have, decision
>>> has to be taken.
>>> 
>>> Also this are my personal view, this can not be fool prove.
>>> 
>>> Regards
>>> Nitin
>>> 
>>> On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>>>> "Web application scanners that provide trial licenses with limiters
>>>> like target domains can be circumvented by statically resolving their
>>>> target domain to an IP of your choosing on the environment that you
>>>> are running the scanner from."
>>>> 
>>>> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>>>> 
>>>> From: Daniel Herrera <daherrera101 at yahoo.com>
>>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
>>>> testing
>>>> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
>>>> <phil at safewalls.net>
>>>> Cc: "websecurity at lists.webappsec.org"
>>>> <websecurity at lists.webappsec.org>
>>>> Date: Wednesday, March 6, 2013, 11:06 AM
>>>> 
>>>> Sooo... web application scanners that provide trial licenses with
>>>> limiters like target domains can be circumvented by statically
>>>> resolving their target domain to an IP of your choosing on the
>>>> environment that you are running that application from. Note that
>>>> your target application must accept arbitrary "Host" header entries.
>>>> 
>>>> Some interesting options to look into would be:
>>>> 
>>>> Netsparker
>>>> http://www.mavitunasecurity.com/netsparker/
>>>> 
>>>> Websecurify
>>>> http://www.websecurify.com/suite
>>>> 
>>>> Personally I don't put much faith in automated assessment utilities
>>>> both open and closed source. There are a lot of common flaws and
>>>> pitfalls that can negatively impact a scan and the quality of its output.
>>>> 
>>>> I always recommend that people move past the tools and dig into the
>>>> concepts themselves, unlike network interrogation which in my opinion
>>>> has a far more finite set of test cases, application interrogation is
>>>> very complex and difficult to do generically well across the myriad
>>>> of implementations people come up with daily... literally. All that
>>>> said, many of the paid solutions have been working on the problem for
>>>> a while and they set a decent bar, hybrid solutions like Whitehat
>>>> that provide managed scanning tend to perform better than their unmanaged
>> counterparts in my opinion.
>>>> 
>>>> /morning ramble
>>>> 
>>>> I didn't see your original question to the list, so this is the best
>>>> answer I could provide within the context of what I saw.
>>>> 
>>>> 
>>>> D
>>>> 
>>>> 
>>>> 
>>>> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
>>>> 
>>>> From: Phil Gmail <phil at safewalls.net>
>>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
>>>> testing
>>>> To: "Zippy Zeppoli"
>>>> <zippyzeppoli at gmail.com>
>>>> Cc: "websecurity at lists.webappsec.org"
>>>> <websecurity at lists.webappsec.org>
>>>> Date: Tuesday, March 5, 2013, 6:46 PM
>>>> 
>>>> Id recommend Burp Pro, but it is not an automated tool.
>>>> Www.burpsuite.com
>>>> 
>>>> Phil
>>>> Sent from iPhone
>>>> Twitter: @sec_prof
>>>> 
>>>> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
>>>> 
>>>>> Hello,
>>>>> I am looking for a solution to do web application vulnerability
>>>>> scanning / testing.
>>>>> IBM's rational appscan seems like a good solution, and I've used it
>>>>> in the past.
>>>>> The only problem seems to be the IBM part. I'm trying to engage them
>>>>> for a trial license that doesn't only scan some useless webgoat, and
>>>>> test it on my own app.
>>>>> 
>>>>> I'm getting kind of dismayed with the responsiveness, so I'm
>>>> wondering
>>>>> if there are better *commercial* solutions out there which are ready
>>>>> to go out of the box.
>>>>> I'd love to use open source tools, but I don't have the time to do
>>>>> the engineering part since I'm overburdened.
>>>>> 
>>>>> Thanks for your tips.
>>>>> 
>>>>> Z
>>>>> 
>>>>> _______________________________________________
>>>>> The Web Security Mailing List
>>>>> 
>>>>> WebSecurity RSS Feed
>>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>> 
>>>>> Join WASC on LinkedIn
>>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>> 
>>>>> WASC on Twitter
>>>>> http://twitter.com/wascupdates
>>>>> 
>>>>> websecurity at lists.webappsec.org
>>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
>>>>> sec.org
>>>> 
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>> 
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>> 
>>>> Join WASC on LinkedIn
>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>> 
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>> 
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
>>>> ec.org
>>> 
>>> 
>>> --
>>> Regards
>>> 
>>> Nitin Vindhara
>>> 
>>> _______________________________________________
>>> The Web Security Mailing List
>>> 
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>> 
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>> 
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>> 
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
>>> c.org
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> 
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> 
>> 
>> 
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> 
>> 
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> 




More information about the websecurity mailing list