[WEB SECURITY] best tool for web app scanning / pen testing

sheik nizamuddin sheik.nizamuddin at gmail.com
Fri Mar 8 06:16:03 EST 2013


Security tools benchmarking
this may help
http://sectooladdict.blogspot.in/2011/08/commercial-web-application-scanner.html


Regards,
Sheik Nizamuddin




On Fri, Mar 8, 2013 at 8:05 AM, Prasad Shenoy <prasad.shenoy at gmail.com>wrote:

> Thanks! I am sure Zippy will find this helpful.
>
> PS
>
> On Mar 7, 2013, at 9:25 PM, The Dead <th3d34d at gmail.com> wrote:
>
> > Check this:
> >
> >
> http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
> >
> >
> >
> > On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy <prasad.shenoy at gmail.com>
> wrote:
> >> Every once in a while someone posts this questions about "best tool for
> web
> >> app scanning" and we as a community get into the same kind of discussion
> >> only to agree to agree or agree to disagree at the end.
> >>
> >> I don't believe any of this helps the person asking the question by
> whatever
> >> intent possible. If anything, the technological gibberish (pardon me)
> only
> >> adds to more FUD around the mind of someone trying to get a straight
> answer
> >> to a straightforward question.
> >>
> >> /evening rant
> >>
> >> PS
> >>
> >> On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" <ofer at shezaf.com> wrote:
> >>
> >> Humor aside, I think we are very much in agreement. Even the best of
> tools
> >> will not replace humans.
> >>
> >> The issue is that I think tools should be evaluated, at least in most
> cases,
> >> based on how they empower the average and not very experienced app sec
> guy
> >> rather than how lethal they are in the hand of the master.
> >>
> >> ~ Ofer
> >>
> >> From: Andre Gironda [mailto:andreg at gmail.com]
> >> Sent: Thursday, March 07, 2013 10:28 PM
> >> To: Ofer Shezaf
> >> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil
> Gmail
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
> >>
> >>
> >> Ofer,
> >>
> >> It's just that most Unixes come with either wget or curl right from the
> >> start. You'd have to install Powershell to get anything equivalent on
> >> Windows, unless you were already a developer who had your own HTTP/TLS
> >> clients written in a certain language, such as .NET (which could also be
> >> ported to Unix with Mono).
> >>
> >> Metasploit requires Unix (or Cygwin when on Windows), and it's the
> dominant
> >> pen testing platform across the world. How could you say it's just me?
> >>
> >> There are many open-source tools, libraries, frameworks, and testing
> >> platforms, especially built around Unix platforms. During a pen test,
> it's
> >> about combining those things together -- to which I haven't seen a good
> >> commercial library or framework in the web app pen space.
> >>
> >> There are some commercial tools that can be used by pen-testers in the
> >> Enterprise workflow for application security risk management purposes.
> For
> >> example, I like to get all of my findings into Burp Suite Professional
> so
> >> that I can submit them to Fortify Software Security Center. Note that I
> work
> >> for HP, so I may come across Fortify SSC more often than this audience.
> >>
> >> By no means should you assume that myself or anyone who does web app
> pen for
> >> HP or any company uses only those tools. I am literally saying here
> that all
> >> tools are relevant and have purpose when dealing with appsec. If you
> want to
> >> present your findings to an information security team, directors, or
> C-level
> >> executives trying to make decisions around appsec risk management
> issues,
> >> then there are few commercial portal offerings to aid in that effort.
> >> Application security risk management portals are critical path to
> instill
> >> inside a large-installation organization.
> >>
> >> In other words, it's not "which tools" you need "to buy", but more "what
> >> skillsets do you need to find the issues and can those skills match up
> to
> >> the requirements necessary to report/understand/mediate those issues?".
> The
> >> answer to the skillsets is usually either a Unix person, or an appdev
> who
> >> has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
> >> Would you say it's easier to find/educate a Unix person or a
> specific-domain
> >> appdev?
> >>
> >>
> >> dre
> >>
> >> On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> >>
> >> I gave it a try. I SSHed to the first Unix machine I could find. I
> stared at
> >> the prompt. It stared at me. Alas, no application vulnerability
> surfaced out
> >> from the black surface.
> >>
> >> What you really say is that Unix + Andre is the best tool. I accept
> that.
> >> The only issue is that Andre is a very scarce resource (approximately 1
> in 7
> >> billion in the sample population).
> >>
> >> ~ Ofer
> >>
> >> From: Andre Gironda [mailto:andreg at gmail.com]
> >> Sent: Thursday, March 07, 2013 8:37 PM
> >> To: Ofer Shezaf
> >> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil
> Gmail
> >>
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
> >>
> >> I like to pick up a new tool every time I need to do something with web
> apps
> >> or pen-testing. Or pick up a new way to write an HTTP client in a
> different
> >> language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
> >> data are.
> >>
> >> Therefore, I have concluded that the best tool for web app scanning /
> pen
> >> testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
> >> Cygwin. They'll all do. ;>
> >>
> >> dre
> >>
> >>
> >>
> >>
> >> On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
> >>
> >> Commercial scanners do that today, usually as part of their integration
> with
> >> a runtime element embedded in the application.
> >>
> >> ~ Ofer
> >>
> >> -----Original Message-----
> >> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
> Behalf
> >> Of Dinis Cruz
> >> Sent: Thursday, March 07, 2013 12:46 AM
> >> To: Nitin Vindhara
> >> Cc: websecurity at lists.webappsec.org; Phil Gmail
> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
> >>
> >> If you have access to the source code of the target application, you
> should
> >> also analyse it and extract data to feed to the web scanners (for
> example
> >> all possible urls, form fields, web services, REST interfaces, etc)
> >>
> >> Dinis Cruz
> >>
> >> On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara at gmail.com>
> wrote:
> >>
> >>> My experience with appscan is better then and webinspect. I mean in
> >>> terms of identifying maximum vulnerabilities.
> >>>
> >>> However more number of false positive are reported by appscan.
> >>> Accunetix is better in term of less false positive.
> >>>
> >>> Burp is semi automated, but good in finding some additional
> vulnerability.
> >>> It can be a additional scanner, but not the only one.
> >>> Its main objective is as proxy not scanner.
> >>>
> >>> However support of webinspect and accunetix are found better.
> >>>
> >>> So depending of ur need and skill set you or your team have, decision
> >>> has to be taken.
> >>>
> >>> Also this are my personal view, this can not be fool prove.
> >>>
> >>> Regards
> >>> Nitin
> >>>
> >>> On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >>>> "Web application scanners that provide trial licenses with limiters
> >>>> like target domains can be circumvented by statically resolving their
> >>>> target domain to an IP of your choosing on the environment that you
> >>>> are running the scanner from."
> >>>>
> >>>> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
> >>>>
> >>>> From: Daniel Herrera <daherrera101 at yahoo.com>
> >>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
> >>>> testing
> >>>> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
> >>>> <phil at safewalls.net>
> >>>> Cc: "websecurity at lists.webappsec.org"
> >>>> <websecurity at lists.webappsec.org>
> >>>> Date: Wednesday, March 6, 2013, 11:06 AM
> >>>>
> >>>> Sooo... web application scanners that provide trial licenses with
> >>>> limiters like target domains can be circumvented by statically
> >>>> resolving their target domain to an IP of your choosing on the
> >>>> environment that you are running that application from. Note that
> >>>> your target application must accept arbitrary "Host" header entries.
> >>>>
> >>>> Some interesting options to look into would be:
> >>>>
> >>>> Netsparker
> >>>> http://www.mavitunasecurity.com/netsparker/
> >>>>
> >>>> Websecurify
> >>>> http://www.websecurify.com/suite
> >>>>
> >>>> Personally I don't put much faith in automated assessment utilities
> >>>> both open and closed source. There are a lot of common flaws and
> >>>> pitfalls that can negatively impact a scan and the quality of its
> output.
> >>>>
> >>>> I always recommend that people move past the tools and dig into the
> >>>> concepts themselves, unlike network interrogation which in my opinion
> >>>> has a far more finite set of test cases, application interrogation is
> >>>> very complex and difficult to do generically well across the myriad
> >>>> of implementations people come up with daily... literally. All that
> >>>> said, many of the paid solutions have been working on the problem for
> >>>> a while and they set a decent bar, hybrid solutions like Whitehat
> >>>> that provide managed scanning tend to perform better than their
> unmanaged
> >> counterparts in my opinion.
> >>>>
> >>>> /morning ramble
> >>>>
> >>>> I didn't see your original question to the list, so this is the best
> >>>> answer I could provide within the context of what I saw.
> >>>>
> >>>>
> >>>> D
> >>>>
> >>>>
> >>>>
> >>>> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
> >>>>
> >>>> From: Phil Gmail <phil at safewalls.net>
> >>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
> >>>> testing
> >>>> To: "Zippy Zeppoli"
> >>>> <zippyzeppoli at gmail.com>
> >>>> Cc: "websecurity at lists.webappsec.org"
> >>>> <websecurity at lists.webappsec.org>
> >>>> Date: Tuesday, March 5, 2013, 6:46 PM
> >>>>
> >>>> Id recommend Burp Pro, but it is not an automated tool.
> >>>> Www.burpsuite.com
> >>>>
> >>>> Phil
> >>>> Sent from iPhone
> >>>> Twitter: @sec_prof
> >>>>
> >>>> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com>
> wrote:
> >>>>
> >>>>> Hello,
> >>>>> I am looking for a solution to do web application vulnerability
> >>>>> scanning / testing.
> >>>>> IBM's rational appscan seems like a good solution, and I've used it
> >>>>> in the past.
> >>>>> The only problem seems to be the IBM part. I'm trying to engage them
> >>>>> for a trial license that doesn't only scan some useless webgoat, and
> >>>>> test it on my own app.
> >>>>>
> >>>>> I'm getting kind of dismayed with the responsiveness, so I'm
> >>>> wondering
> >>>>> if there are better *commercial* solutions out there which are ready
> >>>>> to go out of the box.
> >>>>> I'd love to use open source tools, but I don't have the time to do
> >>>>> the engineering part since I'm overburdened.
> >>>>>
> >>>>> Thanks for your tips.
> >>>>>
> >>>>> Z
> >>>>>
> >>>>> _______________________________________________
> >>>>> The Web Security Mailing List
> >>>>>
> >>>>> WebSecurity RSS Feed
> >>>>> http://www.webappsec.org/rss/websecurity.rss
> >>>>>
> >>>>> Join WASC on LinkedIn
> >>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>>>>
> >>>>> WASC on Twitter
> >>>>> http://twitter.com/wascupdates
> >>>>>
> >>>>> websecurity at lists.webappsec.org
> >>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
> >>>>> sec.org
> >>>>
> >>>> _______________________________________________
> >>>> The Web Security Mailing List
> >>>>
> >>>> WebSecurity RSS Feed
> >>>> http://www.webappsec.org/rss/websecurity.rss
> >>>>
> >>>> Join WASC on LinkedIn
> >>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>>>
> >>>> WASC on Twitter
> >>>> http://twitter.com/wascupdates
> >>>>
> >>>> websecurity at lists.webappsec.org
> >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
> >>>> ec.org
> >>>
> >>>
> >>> --
> >>> Regards
> >>>
> >>> Nitin Vindhara
> >>>
> >>> _______________________________________________
> >>> The Web Security Mailing List
> >>>
> >>> WebSecurity RSS Feed
> >>> http://www.webappsec.org/rss/websecurity.rss
> >>>
> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>>
> >>> WASC on Twitter
> >>> http://twitter.com/wascupdates
> >>>
> >>> websecurity at lists.webappsec.org
> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
> >>> c.org
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >>
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >>
> >>
> >>
> >> _______________________________________________
> >> The Web Security Mailing List
> >>
> >> WebSecurity RSS Feed
> >> http://www.webappsec.org/rss/websecurity.rss
> >>
> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >>
> >> WASC on Twitter
> >> http://twitter.com/wascupdates
> >>
> >> websecurity at lists.webappsec.org
> >>
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> >>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130308/a58eb82f/attachment-0003.html>


More information about the websecurity mailing list