[WEB SECURITY] best tool for web app scanning / pen testing

Zippy Zeppoli zippyzeppoli at gmail.com
Fri Mar 8 14:31:55 EST 2013


Classic buy vs build.
Advantages to both.
Not against open source.

On Wed, Mar 6, 2013 at 3:31 AM, psiinon <psiinon at gmail.com> wrote:
> Hi Zippy,
>
> I'm intrigued by your reluctance to use open source tools.
> You seem to want a simple solution that just works out of the box.
> I'd be surprised if you can find anything like that - I think all web app
> scanners (commercial and open source) need some configuration to get the
> most out of them.
>
> I cant talk for any other tools, but ZAP is easy to install, and you can
> perform a 'quick' scan by just entering a URL and pressing a button.
> However you will need to perform more configuration in order to handle
> authentication and tune to ZAP to work as effectively as possible with your
> apps.
> Not sure if you count that as 'engineering' ;)
> If you do decide to give it a go you'll hopefully find that if you do have
> any problems then any questions asked on our user group will get quick and
> useful replies:)
>
> Cheers,
>
> Simon (ZAP project lead)
>
>
>
> On Wed, Mar 6, 2013 at 9:20 AM, Vernon Jones <Vernon.Jones at derivco.com>
> wrote:
>>
>> Hey Z
>>
>>
>> For commercial tools you can try one of the following
>>
>> H Fortify Web inspect -
>> http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991
>>
>> Acunetix - www.acunetix.com
>>
>>
>> For Open source you can try one of the following
>>
>> OWASP ZED Proxy with build in Scanner for OWASP top 10 -
>> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
>>
>>
>> CAT Proxy - http://www.contextis.com/research/tools/cat/
>>
>> Hope this helps dude
>>
>> V
>>
>>
>> -----Original Message-----
>> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On
>> Behalf Of Zippy Zeppoli
>> Sent: 06 March 2013 03:54 AM
>> To: websecurity at lists.webappsec.org
>> Subject: [WEB SECURITY] best tool for web app scanning / pen testing
>>
>> Hello,
>> I am looking for a solution to do web application vulnerability scanning /
>> testing.
>> IBM's rational appscan seems like a good solution, and I've used it in the
>> past.
>> The only problem seems to be the IBM part. I'm trying to engage them for a
>> trial license that doesn't only scan some useless webgoat, and test it on my
>> own app.
>>
>> I'm getting kind of dismayed with the responsiveness, so I'm wondering if
>> there are better *commercial* solutions out there which are ready to go out
>> of the box.
>> I'd love to use open source tools, but I don't have the time to do the
>> engineering part since I'm overburdened.
>>
>> Thanks for your tips.
>>
>> Z
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>> #############################################################################################
>> The information transmitted is intended only for the person or entity to
>> which it
>> is addressed and may contain confidential and/or privileged material.
>> Any review, retransmission, dissemination or other use of, or taking of
>> any action
>> in reliance upon, this information by persons or entities other than the
>> intended
>> recipient is prohibited. If you received this in error, please contact the
>> sender and
>> delete the material from any computer.
>>
>> Furthermore, the information contained in this message, and any
>> attachments thereto, is
>> for information purposes only and may contain the personal views and
>> opinions of the
>> author, which are not necessarily the views and opinions of the company.
>>
>> #############################################################################################
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
>
> --
> OWASP ZAP Project leader




More information about the websecurity mailing list