Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com

Phil
Sent from iPhone
Twitter: @sec_prof

On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:

Hi Zippy,

I'm intrigued by your reluctance to use open source tools.
You seem to want a simple solution that just works out of the box.
I'd be surprised if you can find anything like that - I think all web app
scanners (commercial and open source) need some configuration to get the
most out of them.

I cant talk for any other tools, but ZAP is easy to install, and you can
perform a 'quick' scan by just entering a URL and pressing a button.
However you will need to perform more configuration in order to handle
authentication and tune to ZAP to work as effectively as possible with your
apps.
Not sure if you count that as 'engineering' ;)
If you do decide to give it a go you'll hopefully find that if you do have
any problems then any questions asked on our user group will get quick and
useful replies:)

Cheers,

Simon (ZAP project lead)

On Wed, Mar 6, 2013 at 9:20 AM, Vernon Jones Vernon.Jones@derivco.comwrote:

--
OWASP ZAP https://www.owasp.org/index.php/ZAP Project leader

What exactly do you mean by engineering? Do you have a non-standard web application protocol scheme or authentication scheme that you suspect might need some workarounds? If so, you need to be more specific. From your email, I get an impression that all you want to do is run a web app scan and generate a report of potential vulnerabilities to be used by other downstream processes (risk, audit, compliance). If that be the case, you can very well use ZAP. The auditors should recognize OWASP by its name and ZAP by its affiliation to OWASP. Commercial tools won't buy you much for all the chasing you will have to do to get a trial license with no IP/Domain restrictions on the scans.

ZAP is pretty intuitive. It took me more efforts to write this email than it takes to get ZAP up and running.

ZAP is as out of the box as any tool can get if all you need to do is run application vulnerability scanning/testing in general, as you said in your email.

1. Download and Install Zap - 3 mins (depending on your n/w connection)
2. Configure IE to run through the proxy - 1 min
3. Sit back with a hot cup of Chai Tea Latte and watch ZAP do its magic - Priceless

Warning: No engineering needed

Note:
If you do want to get specific and kind of dig deep into stuff only then you might have to deal with the engineering side of things but that's not too bad either :)

Try it! Free run on me :)

PS

On Mar 5, 2013, at 8:53 PM, Zippy Zeppoli zippyzeppoli@gmail.com wrote:

I wanted to say "Let the shilling begin" but you guys work fast.
He explicitly said he was interested in commercial tools.

He may need professional support, someone to take responsibility for damages,
a multi-user environment, LDAP integration, JIRA (or whatever) integration,
a billion other reasons one would need a commercial/enterprise-level system.

With that being said, I'm curious about the "engineering part" part myself.
What did you mean by that Zippy?

On 03/06/2013 03:04 PM, Prasad Shenoy wrote:> What exactly do you mean by engineering? Do you have a non-standard web application protocol scheme or authentication scheme that you suspect might need some workarounds? If so, you need to be more specific. From your email, I get an impression that all you want to do is run a web app scan and generate a report of potential vulnerabilities to be used by other downstream processes (risk, audit, compliance). If that be the case, you can very well use
ZAP. The auditors should recognize OWASP by its name and ZAP by its affiliation to OWASP. Commercial tools won't buy you much for all the chasing you will have to do to get a trial license with no IP/Domain restrictions on the scans.

Sooo... web application scanners that provide trial licenses with limiters like target domains can be circumvented by statically resolving their target domain to an IP of your choosing on the environment that you are running that application from. Note that your target application must accept arbitrary "Host" header entries.

Some interesting options to look into would be:

Netsparker
http://www.mavitunasecurity.com/netsparker/

Websecurify
http://www.websecurify.com/suite

Personally I don't put much faith in automated assessment utilities both open and closed source. There are a lot of common flaws and pitfalls that can negatively impact a scan and the quality of its output.

I always recommend that people move past the tools and dig into the concepts themselves, unlike network interrogation which in my opinion has a far more finite set of test cases, application interrogation is very complex and difficult to do generically well across the myriad of implementations people come up with daily... literally. All that said, many of the paid solutions have been working on the problem for a while and they set a decent bar, hybrid solutions like Whitehat that provide managed scanning tend to perform better than their unmanaged counterparts in my opinion.

/morning ramble

I didn't see your original question to the list, so this is the best answer I could provide within the context of what I saw.

D

--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:

From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org" websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM

Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com

Phil
Sent from iPhone
Twitter: @sec_prof

On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

"Web application scanners that provide trial licenses with limiters like
target domains can be circumvented by statically resolving their target
domain to an IP of your choosing on the environment that you are running
the scanner from."

--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:

From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail" phil@safewalls.net
Cc: "websecurity@lists.webappsec.org" websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM

Sooo... web application scanners that provide trial licenses with limiters like target domains can be circumvented by statically resolving their target domain to an IP of your choosing on the environment that you are running that application from. Note that your target application must accept arbitrary "Host" header entries.

Some interesting options to look into would be:

Netsparker
http://www.mavitunasecurity.com/netsparker/

Websecurify
http://www.websecurify.com/suite

Personally I don't put much faith in automated assessment utilities both open and closed source. There are a lot of common flaws and pitfalls that can negatively impact a scan and the quality of its output.

I always recommend that people move past the tools and dig into the concepts themselves, unlike network interrogation which in my opinion has a far
more finite set of test cases, application interrogation is very complex and difficult to do generically well across the myriad of implementations people come up with daily... literally. All that said, many of the paid solutions have been working on the problem for a while and they set a decent bar, hybrid solutions like Whitehat that provide managed scanning tend to perform better than their unmanaged counterparts in my opinion.

/morning ramble

I didn't see your original question to the list, so this is the best answer I could provide within the context of what I saw.

D

--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:

From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org" websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM

Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com

Phil
Sent from iPhone
Twitter: @sec_prof

On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:

wondering

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.

However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.

Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.

However support of webinspect and accunetix are found better.

So depending of ur need and skill set you or your team have, decision
has to be taken.

Also this are my personal view, this can not be fool prove.

Regards
Nitin

On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:

--
Regards

Nitin Vindhara

FYI

http://code.google.com/p/skipfish/

It is very fast, consumes little memory and causes 2000 requests per second,
but has no GUI, for example, is only parameters.

I prefer so fast.

@firebitsbr

2013/3/6 Nitin Vindhara nitin.vindhara@gmail.com