[WEB SECURITY] best tool for web app scanning / pen testing

Zippy Zeppoli zippyzeppoli at gmail.com
Fri Mar 8 14:33:40 EST 2013


Thanks for that one.

On Thu, Mar 7, 2013 at 6:25 PM, The Dead <th3d34d at gmail.com> wrote:
> Check this:
>
> http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
>
>
>
> On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote:
>> Every once in a while someone posts this questions about "best tool for web
>> app scanning" and we as a community get into the same kind of discussion
>> only to agree to agree or agree to disagree at the end.
>>
>> I don't believe any of this helps the person asking the question by whatever
>> intent possible. If anything, the technological gibberish (pardon me) only
>> adds to more FUD around the mind of someone trying to get a straight answer
>> to a straightforward question.
>>
>> /evening rant
>>
>> PS
>>
>> On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" <ofer at shezaf.com> wrote:
>>
>> Humor aside, I think we are very much in agreement. Even the best of tools
>> will not replace humans.
>>
>> The issue is that I think tools should be evaluated, at least in most cases,
>> based on how they empower the average and not very experienced app sec guy
>> rather than how lethal they are in the hand of the master.
>>
>> ~ Ofer
>>
>> From: Andre Gironda [mailto:andreg at gmail.com]
>> Sent: Thursday, March 07, 2013 10:28 PM
>> To: Ofer Shezaf
>> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil Gmail
>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>>
>>
>> Ofer,
>>
>> It's just that most Unixes come with either wget or curl right from the
>> start. You'd have to install Powershell to get anything equivalent on
>> Windows, unless you were already a developer who had your own HTTP/TLS
>> clients written in a certain language, such as .NET (which could also be
>> ported to Unix with Mono).
>>
>> Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
>> pen testing platform across the world. How could you say it's just me?
>>
>> There are many open-source tools, libraries, frameworks, and testing
>> platforms, especially built around Unix platforms. During a pen test, it's
>> about combining those things together -- to which I haven't seen a good
>> commercial library or framework in the web app pen space.
>>
>> There are some commercial tools that can be used by pen-testers in the
>> Enterprise workflow for application security risk management purposes. For
>> example, I like to get all of my findings into Burp Suite Professional so
>> that I can submit them to Fortify Software Security Center. Note that I work
>> for HP, so I may come across Fortify SSC more often than this audience.
>>
>> By no means should you assume that myself or anyone who does web app pen for
>> HP or any company uses only those tools. I am literally saying here that all
>> tools are relevant and have purpose when dealing with appsec. If you want to
>> present your findings to an information security team, directors, or C-level
>> executives trying to make decisions around appsec risk management issues,
>> then there are few commercial portal offerings to aid in that effort.
>> Application security risk management portals are critical path to instill
>> inside a large-installation organization.
>>
>> In other words, it's not "which tools" you need "to buy", but more "what
>> skillsets do you need to find the issues and can those skills match up to
>> the requirements necessary to report/understand/mediate those issues?". The
>> answer to the skillsets is usually either a Unix person, or an appdev who
>> has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
>> Would you say it's easier to find/educate a Unix person or a specific-domain
>> appdev?
>>
>>
>> dre
>>
>> On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>>
>> I gave it a try. I SSHed to the first Unix machine I could find. I stared at
>> the prompt. It stared at me. Alas, no application vulnerability surfaced out
>> from the black surface.
>>
>> What you really say is that Unix + Andre is the best tool. I accept that.
>> The only issue is that Andre is a very scarce resource (approximately 1 in 7
>> billion in the sample population).
>>
>> ~ Ofer
>>
>> From: Andre Gironda [mailto:andreg at gmail.com]
>> Sent: Thursday, March 07, 2013 8:37 PM
>> To: Ofer Shezaf
>> Cc: Dinis Cruz; Nitin Vindhara; websecurity at lists.webappsec.org; Phil Gmail
>>
>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>>
>> I like to pick up a new tool every time I need to do something with web apps
>> or pen-testing. Or pick up a new way to write an HTTP client in a different
>> language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
>> data are.
>>
>> Therefore, I have concluded that the best tool for web app scanning / pen
>> testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
>> Cygwin. They'll all do. ;>
>>
>> dre
>>
>>
>>
>>
>> On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer at shezaf.com> wrote:
>>
>> Commercial scanners do that today, usually as part of their integration with
>> a runtime element embedded in the application.
>>
>> ~ Ofer
>>
>> -----Original Message-----
>> From: websecurity [mailto:websecurity-bounces at lists.webappsec.org] On Behalf
>> Of Dinis Cruz
>> Sent: Thursday, March 07, 2013 12:46 AM
>> To: Nitin Vindhara
>> Cc: websecurity at lists.webappsec.org; Phil Gmail
>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
>>
>> If you have access to the source code of the target application, you should
>> also analyse it and extract data to feed to the web scanners (for example
>> all possible urls, form fields, web services, REST interfaces, etc)
>>
>> Dinis Cruz
>>
>> On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara at gmail.com> wrote:
>>
>>> My experience with appscan is better then and webinspect. I mean in
>>> terms of identifying maximum vulnerabilities.
>>>
>>> However more number of false positive are reported by appscan.
>>> Accunetix is better in term of less false positive.
>>>
>>> Burp is semi automated, but good in finding some additional vulnerability.
>>> It can be a additional scanner, but not the only one.
>>> Its main objective is as proxy not scanner.
>>>
>>> However support of webinspect and accunetix are found better.
>>>
>>> So depending of ur need and skill set you or your team have, decision
>>> has to be taken.
>>>
>>> Also this are my personal view, this can not be fool prove.
>>>
>>> Regards
>>> Nitin
>>>
>>> On 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>>>> "Web application scanners that provide trial licenses with limiters
>>>> like target domains can be circumvented by statically resolving their
>>>> target domain to an IP of your choosing on the environment that you
>>>> are running the scanner from."
>>>>
>>>> --- On Wed, 3/6/13, Daniel Herrera <daherrera101 at yahoo.com> wrote:
>>>>
>>>> From: Daniel Herrera <daherrera101 at yahoo.com>
>>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
>>>> testing
>>>> To: "Zippy Zeppoli" <zippyzeppoli at gmail.com>, "Phil Gmail"
>>>> <phil at safewalls.net>
>>>> Cc: "websecurity at lists.webappsec.org"
>>>> <websecurity at lists.webappsec.org>
>>>> Date: Wednesday, March 6, 2013, 11:06 AM
>>>>
>>>> Sooo... web application scanners that provide trial licenses with
>>>> limiters like target domains can be circumvented by statically
>>>> resolving their target domain to an IP of your choosing on the
>>>> environment that you are running that application from. Note that
>>>> your target application must accept arbitrary "Host" header entries.
>>>>
>>>> Some interesting options to look into would be:
>>>>
>>>> Netsparker
>>>> http://www.mavitunasecurity.com/netsparker/
>>>>
>>>> Websecurify
>>>> http://www.websecurify.com/suite
>>>>
>>>> Personally I don't put much faith in automated assessment utilities
>>>> both open and closed source. There are a lot of common flaws and
>>>> pitfalls that can negatively impact a scan and the quality of its output.
>>>>
>>>> I always recommend that people move past the tools and dig into the
>>>> concepts themselves, unlike network interrogation which in my opinion
>>>> has a far more finite set of test cases, application interrogation is
>>>> very complex and difficult to do generically well across the myriad
>>>> of implementations people come up with daily... literally. All that
>>>> said, many of the paid solutions have been working on the problem for
>>>> a while and they set a decent bar, hybrid solutions like Whitehat
>>>> that provide managed scanning tend to perform better than their unmanaged
>> counterparts in my opinion.
>>>>
>>>> /morning ramble
>>>>
>>>> I didn't see your original question to the list, so this is the best
>>>> answer I could provide within the context of what I saw.
>>>>
>>>>
>>>> D
>>>>
>>>>
>>>>
>>>> --- On Tue, 3/5/13, Phil Gmail <phil at safewalls.net> wrote:
>>>>
>>>> From: Phil Gmail <phil at safewalls.net>
>>>> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
>>>> testing
>>>> To: "Zippy Zeppoli"
>>>> <zippyzeppoli at gmail.com>
>>>> Cc: "websecurity at lists.webappsec.org"
>>>> <websecurity at lists.webappsec.org>
>>>> Date: Tuesday, March 5, 2013, 6:46 PM
>>>>
>>>> Id recommend Burp Pro, but it is not an automated tool.
>>>> Www.burpsuite.com
>>>>
>>>> Phil
>>>> Sent from iPhone
>>>> Twitter: @sec_prof
>>>>
>>>> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli at gmail.com> wrote:
>>>>
>>>>> Hello,
>>>>> I am looking for a solution to do web application vulnerability
>>>>> scanning / testing.
>>>>> IBM's rational appscan seems like a good solution, and I've used it
>>>>> in the past.
>>>>> The only problem seems to be the IBM part. I'm trying to engage them
>>>>> for a trial license that doesn't only scan some useless webgoat, and
>>>>> test it on my own app.
>>>>>
>>>>> I'm getting kind of dismayed with the responsiveness, so I'm
>>>> wondering
>>>>> if there are better *commercial* solutions out there which are ready
>>>>> to go out of the box.
>>>>> I'd love to use open source tools, but I don't have the time to do
>>>>> the engineering part since I'm overburdened.
>>>>>
>>>>> Thanks for your tips.
>>>>>
>>>>> Z
>>>>>
>>>>> _______________________________________________
>>>>> The Web Security Mailing List
>>>>>
>>>>> WebSecurity RSS Feed
>>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>>
>>>>> Join WASC on LinkedIn
>>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>>
>>>>> WASC on Twitter
>>>>> http://twitter.com/wascupdates
>>>>>
>>>>> websecurity at lists.webappsec.org
>>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
>>>>> sec.org
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn
>>>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
>>>> ec.org
>>>>
>>>
>>>
>>> --
>>> Regards
>>>
>>> Nitin Vindhara
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
>>> c.org
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list