I love Skipfish too but Zippy said no "engineering". The word "Cygwin" might scare him away or so I thought.....(I am only joking Zippy!) PS On Mar 6, 2013, at 4:09 PM, firebits <mrpa.security@gmail.com> wrote: > FYI > > http://code.google.com/p/skipfish/ > > It is very fast, consumes little memory and causes 2000 requests per second, but has no GUI, for example, is only parameters. > > I prefer so fast. > > @firebitsbr > > > 2013/3/6 Nitin Vindhara <nitin.vindhara@gmail.com> >> My experience with appscan is better then and webinspect. I mean in >> terms of identifying maximum vulnerabilities. >> >> However more number of false positive are reported by appscan. >> Accunetix is better in term of less false positive. >> >> Burp is semi automated, but good in finding some additional vulnerability. >> It can be a additional scanner, but not the only one. >> Its main objective is as proxy not scanner. >> >> However support of webinspect and accunetix are found better. >> >> So depending of ur need and skill set you or your team have, decision >> has to be taken. >> >> Also this are my personal view, this can not be fool prove. >> >> Regards >> Nitin >> >> On 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: >> > "Web application scanners that provide trial licenses with limiters like >> > target domains can be circumvented by statically resolving their target >> > domain to an IP of your choosing on the environment that you are running >> > the scanner from." >> > >> > --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: >> > >> > From: Daniel Herrera <daherrera101@yahoo.com> >> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing >> > To: "Zippy Zeppoli" <zippyzeppoli@gmail.com>, "Phil Gmail" >> > <phil@safewalls.net> >> > Cc: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org> >> > Date: Wednesday, March 6, 2013, 11:06 AM >> > >> > Sooo... web application scanners that provide trial licenses with limiters >> > like target domains can be circumvented by statically resolving their target >> > domain to an IP of your choosing on the environment that you are running >> > that application from. Note that your target application must accept >> > arbitrary "Host" header entries. >> > >> > Some interesting options to look into would be: >> > >> > Netsparker >> > http://www.mavitunasecurity.com/netsparker/ >> > >> > Websecurify >> > http://www.websecurify.com/suite >> > >> > Personally I don't put much faith in automated assessment utilities both >> > open and closed source. There are a lot of common flaws and pitfalls that >> > can negatively impact a scan and the quality of its output. >> > >> > I always recommend that people move past the tools and dig into the concepts >> > themselves, unlike network interrogation which in my opinion has a far >> > more finite set of test cases, application interrogation is very complex >> > and difficult to do generically well across the myriad of implementations >> > people come up with daily... literally. All that said, many of the paid >> > solutions have been working on the problem for a while and they set a decent >> > bar, hybrid solutions like Whitehat that provide managed scanning tend to >> > perform better than their unmanaged counterparts in my opinion. >> > >> > /morning ramble >> > >> > I didn't see your original question to the list, so this is the best answer >> > I could provide within the context of what I saw. >> > >> > >> > D >> > >> > >> > >> > --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net> wrote: >> > >> > From: Phil Gmail <phil@safewalls.net> >> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing >> > To: "Zippy Zeppoli" >> > <zippyzeppoli@gmail.com> >> > Cc: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org> >> > Date: Tuesday, March 5, 2013, 6:46 PM >> > >> > Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com >> > >> > Phil >> > Sent from iPhone >> > Twitter: @sec_prof >> > >> > On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com> wrote: >> > >> >> Hello, >> >> I am looking for a solution to do web application vulnerability >> >> scanning / testing. >> >> IBM's rational appscan seems like a good solution, and I've used it in the >> >> past. >> >> The only problem seems to be the IBM part. I'm trying to engage them >> >> for a trial license that doesn't only scan some useless webgoat, and >> >> test it on my own app. >> >> >> >> I'm getting kind of dismayed with the responsiveness, so I'm >> > wondering >> >> if there are better *commercial* solutions out there which are ready >> >> to go out of the box. >> >> I'd love to use open source tools, but I don't have the time to do the >> >> engineering part since I'm overburdened. >> >> >> >> Thanks for your tips. >> >> >> >> Z >> >> >> >> _______________________________________________ >> >> The Web Security Mailing List >> >> >> >> WebSecurity RSS Feed >> >> http://www.webappsec.org/rss/websecurity.rss >> >> >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> >> >> WASC on Twitter >> >> http://twitter.com/wascupdates >> >> >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > >> > _______________________________________________ >> > The Web Security Mailing List >> > >> > WebSecurity RSS Feed >> > http://www.webappsec.org/rss/websecurity.rss >> > >> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> > >> > WASC on Twitter >> > http://twitter.com/wascupdates >> > >> > websecurity@lists.webappsec.org >> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > >> >> >> -- >> Regards >> >> Nitin Vindhara >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

+1 Skipfish Love the utility, props to Zalewski for writing some great freeware. --- On Wed, 3/6/13, firebits <mrpa.security@gmail.com> wrote: From: firebits <mrpa.security@gmail.com> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing To: "Nitin Vindhara" <nitin.vindhara@gmail.com> Cc: "Daniel Herrera" <daherrera101@yahoo.com>, "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org>, "Phil Gmail" <phil@safewalls.net>, "Mauro Risonho de Paula Assumpção" <mrpa.security@gmail.com> Date: Wednesday, March 6, 2013, 1:09 PM FYI http://code.google.com/p/skipfish/ It is very fast, consumes little memory and causes 2000 requests per second, but has no GUI, for example, is only parameters. I prefer so fast. @firebitsbr 2013/3/6 Nitin Vindhara <nitin.vindhara@gmail.com> My experience with appscan is better then and webinspect. I mean in terms of identifying maximum vulnerabilities. However more number of false positive are reported by appscan. Accunetix is better in term of less false positive. Burp is semi automated, but good in finding some additional vulnerability. It can be a additional scanner, but not the only one. Its main objective is as proxy not scanner. However support of webinspect and accunetix are found better. So depending of ur need and skill set you or your team have, decision has to be taken. Also this are my personal view, this can not be fool prove. Regards Nitin On 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: > "Web application scanners that provide trial licenses with limiters like > target domains can be circumvented by statically resolving their target > domain to an IP of your choosing on the environment that you are running >  the scanner from." > > --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: > > From: Daniel Herrera <daherrera101@yahoo.com> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing > To: "Zippy Zeppoli" <zippyzeppoli@gmail.com>, "Phil Gmail" > <phil@safewalls.net> > Cc: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org> > Date: Wednesday, March 6, 2013, 11:06 AM > > Sooo... web application scanners that provide trial licenses with limiters > like target domains can be circumvented by statically resolving their target > domain to an IP of your choosing on the environment that you are running > that application from. Note that your target application must accept > arbitrary "Host" header entries. > > Some interesting options to look into would be: > > Netsparker > http://www.mavitunasecurity.com/netsparker/ > > Websecurify > http://www.websecurify.com/suite > > Personally I don't put much faith in automated assessment utilities both > open and closed source. There are a lot of common flaws and pitfalls that > can negatively impact a scan and the quality of its output. > > I always recommend that people move past the tools and dig into the concepts > themselves, unlike network interrogation which in my opinion has a far >  more finite set of test cases, application interrogation is very complex > and difficult to do generically well across the myriad of implementations > people come up with daily... literally. All that said, many of the paid > solutions have been working on the problem for a while and they set a decent > bar, hybrid solutions like Whitehat that provide managed scanning tend to > perform better than their unmanaged counterparts in my opinion. > > /morning ramble > > I didn't see your original question to the list, so this is the best answer > I could provide within the context of what I saw. > > > D > > > > --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net> wrote: > > From: Phil Gmail <phil@safewalls.net> > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing > To: "Zippy Zeppoli" >  <zippyzeppoli@gmail.com> > Cc: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org> > Date: Tuesday, March 5, 2013, 6:46 PM > > Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com > > Phil > Sent from iPhone > Twitter: @sec_prof > > On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com> wrote: > >> Hello, >> I am looking for a solution to do web application vulnerability >> scanning / testing. >> IBM's rational appscan seems like a good solution, and I've used it in the >> past. >> The only problem seems to be the IBM part. I'm trying to engage them >> for a trial license that doesn't only scan some useless webgoat, and >> test it on my own app. >> >> I'm getting kind of dismayed with the responsiveness, so I'm >  wondering >> if there are better *commercial* solutions out there which are ready >> to go out of the box. >> I'd love to use open source tools, but I don't have the time to do the >> engineering part since I'm overburdened. >> >> Thanks for your tips. >> >> Z >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- Regards Nitin Vindhara _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hey all, I guess I'll shill Vega here too, as it might be a compromise between the typical open source and commercial offerings - our objective is commercial quality open source. We've made some significant improvements since the beta - in fact, we're about to launch 1.0, just putting finishing touches on some stuff. You can grab a current build here (note hard Java 7 dependency, will not start without it): http://www.subgraph.com/current Some of the new features covered recently on our blog: http://keystream.subgraph.com. Cheers. On 03/06/2013 04:26 PM, Prasad Shenoy wrote: > I love Skipfish too but Zippy said no "engineering". The word "Cygwin" might scare him away or so I thought.....(I am only joking Zippy!) > > PS > > On Mar 6, 2013, at 4:09 PM, firebits <mrpa.security@gmail.com> wrote: > >> FYI >> >> http://code.google.com/p/skipfish/ >> -- David Mirza Ahmad <dma@subgraph.com> | @attractr Subgraph | @subgraph Vega, the Open Source Web Security Platform http://www.subgraph.com 78A1 CCFD 1C60 4BA7 5E1C C1F2 42D7 08C0 2520 8C7B

If you have access to the source code of the target application, you should also analyse it and extract data to feed to the web scanners (for example all possible urls, form fields, web services, REST interfaces, etc) Dinis Cruz On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.com> wrote: > My experience with appscan is better then and webinspect. I mean in > terms of identifying maximum vulnerabilities. > > However more number of false positive are reported by appscan. > Accunetix is better in term of less false positive. > > Burp is semi automated, but good in finding some additional vulnerability. > It can be a additional scanner, but not the only one. > Its main objective is as proxy not scanner. > > However support of webinspect and accunetix are found better. > > So depending of ur need and skill set you or your team have, decision > has to be taken. > > Also this are my personal view, this can not be fool prove. > > Regards > Nitin > > On 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: >> "Web application scanners that provide trial licenses with limiters like >> target domains can be circumvented by statically resolving their target >> domain to an IP of your choosing on the environment that you are running >> the scanner from." >> >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: >> >> From: Daniel Herrera <daherrera101@yahoo.com> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing >> To: "Zippy Zeppoli" <zippyzeppoli@gmail.com>, "Phil Gmail" >> <phil@safewalls.net> >> Cc: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org> >> Date: Wednesday, March 6, 2013, 11:06 AM >> >> Sooo... web application scanners that provide trial licenses with limiters >> like target domains can be circumvented by statically resolving their target >> domain to an IP of your choosing on the environment that you are running >> that application from. Note that your target application must accept >> arbitrary "Host" header entries. >> >> Some interesting options to look into would be: >> >> Netsparker >> http://www.mavitunasecurity.com/netsparker/ >> >> Websecurify >> http://www.websecurify.com/suite >> >> Personally I don't put much faith in automated assessment utilities both >> open and closed source. There are a lot of common flaws and pitfalls that >> can negatively impact a scan and the quality of its output. >> >> I always recommend that people move past the tools and dig into the concepts >> themselves, unlike network interrogation which in my opinion has a far >> more finite set of test cases, application interrogation is very complex >> and difficult to do generically well across the myriad of implementations >> people come up with daily... literally. All that said, many of the paid >> solutions have been working on the problem for a while and they set a decent >> bar, hybrid solutions like Whitehat that provide managed scanning tend to >> perform better than their unmanaged counterparts in my opinion. >> >> /morning ramble >> >> I didn't see your original question to the list, so this is the best answer >> I could provide within the context of what I saw. >> >> >> D >> >> >> >> --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net> wrote: >> >> From: Phil Gmail <phil@safewalls.net> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing >> To: "Zippy Zeppoli" >> <zippyzeppoli@gmail.com> >> Cc: "websecurity@lists.webappsec.org" <websecurity@lists.webappsec.org> >> Date: Tuesday, March 5, 2013, 6:46 PM >> >> Id recommend Burp Pro, but it is not an automated tool. Www.burpsuite.com >> >> Phil >> Sent from iPhone >> Twitter: @sec_prof >> >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com> wrote: >> >>> Hello, >>> I am looking for a solution to do web application vulnerability >>> scanning / testing. >>> IBM's rational appscan seems like a good solution, and I've used it in the >>> past. >>> The only problem seems to be the IBM part. I'm trying to engage them >>> for a trial license that doesn't only scan some useless webgoat, and >>> test it on my own app. >>> >>> I'm getting kind of dismayed with the responsiveness, so I'm >> wondering >>> if there are better *commercial* solutions out there which are ready >>> to go out of the box. >>> I'd love to use open source tools, but I don't have the time to do the >>> engineering part since I'm overburdened. >>> >>> Thanks for your tips. >>> >>> Z >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > > > -- > Regards > > Nitin Vindhara > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Commercial scanners do that today, usually as part of their integration with a runtime element embedded in the application. ~ Ofer -----Original Message----- From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Dinis Cruz Sent: Thursday, March 07, 2013 12:46 AM To: Nitin Vindhara Cc: websecurity@lists.webappsec.org; Phil Gmail Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing If you have access to the source code of the target application, you should also analyse it and extract data to feed to the web scanners (for example all possible urls, form fields, web services, REST interfaces, etc) Dinis Cruz On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.com> wrote: > My experience with appscan is better then and webinspect. I mean in > terms of identifying maximum vulnerabilities. > > However more number of false positive are reported by appscan. > Accunetix is better in term of less false positive. > > Burp is semi automated, but good in finding some additional vulnerability. > It can be a additional scanner, but not the only one. > Its main objective is as proxy not scanner. > > However support of webinspect and accunetix are found better. > > So depending of ur need and skill set you or your team have, decision > has to be taken. > > Also this are my personal view, this can not be fool prove. > > Regards > Nitin > > On 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: >> "Web application scanners that provide trial licenses with limiters >> like target domains can be circumvented by statically resolving their >> target domain to an IP of your choosing on the environment that you >> are running the scanner from." >> >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: >> >> From: Daniel Herrera <daherrera101@yahoo.com> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen >> testing >> To: "Zippy Zeppoli" <zippyzeppoli@gmail.com>, "Phil Gmail" >> <phil@safewalls.net> >> Cc: "websecurity@lists.webappsec.org" >> <websecurity@lists.webappsec.org> >> Date: Wednesday, March 6, 2013, 11:06 AM >> >> Sooo... web application scanners that provide trial licenses with >> limiters like target domains can be circumvented by statically >> resolving their target domain to an IP of your choosing on the >> environment that you are running that application from. Note that >> your target application must accept arbitrary "Host" header entries. >> >> Some interesting options to look into would be: >> >> Netsparker >> http://www.mavitunasecurity.com/netsparker/ >> >> Websecurify >> http://www.websecurify.com/suite >> >> Personally I don't put much faith in automated assessment utilities >> both open and closed source. There are a lot of common flaws and >> pitfalls that can negatively impact a scan and the quality of its output. >> >> I always recommend that people move past the tools and dig into the >> concepts themselves, unlike network interrogation which in my opinion >> has a far more finite set of test cases, application interrogation is >> very complex and difficult to do generically well across the myriad >> of implementations people come up with daily... literally. All that >> said, many of the paid solutions have been working on the problem for >> a while and they set a decent bar, hybrid solutions like Whitehat >> that provide managed scanning tend to perform better than their unmanaged counterparts in my opinion. >> >> /morning ramble >> >> I didn't see your original question to the list, so this is the best >> answer I could provide within the context of what I saw. >> >> >> D >> >> >> >> --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net> wrote: >> >> From: Phil Gmail <phil@safewalls.net> >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen >> testing >> To: "Zippy Zeppoli" >> <zippyzeppoli@gmail.com> >> Cc: "websecurity@lists.webappsec.org" >> <websecurity@lists.webappsec.org> >> Date: Tuesday, March 5, 2013, 6:46 PM >> >> Id recommend Burp Pro, but it is not an automated tool. >> Www.burpsuite.com >> >> Phil >> Sent from iPhone >> Twitter: @sec_prof >> >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com> wrote: >> >>> Hello, >>> I am looking for a solution to do web application vulnerability >>> scanning / testing. >>> IBM's rational appscan seems like a good solution, and I've used it >>> in the past. >>> The only problem seems to be the IBM part. I'm trying to engage them >>> for a trial license that doesn't only scan some useless webgoat, and >>> test it on my own app. >>> >>> I'm getting kind of dismayed with the responsiveness, so I'm >> wondering >>> if there are better *commercial* solutions out there which are ready >>> to go out of the box. >>> I'd love to use open source tools, but I don't have the time to do >>> the engineering part since I'm overburdened. >>> >>> Thanks for your tips. >>> >>> Z >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp >>> sec.org >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps >> ec.org >> > > > -- > Regards > > Nitin Vindhara > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse > c.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I like to pick up a new tool every time I need to do something with web apps or pen-testing. Or pick up a new way to write an HTTP client in a different language. Or parse HTML/JS/AS. Or especially to figure out what blobs of data are. Therefore, I have concluded that the best tool for web app scanning / pen testing is Unix. Any Unix or clone of Unix, or subset of Unix such as Cygwin. They'll all do. ;> dre On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer@shezaf.com> wrote: > Commercial scanners do that today, usually as part of their integration > with > a runtime element embedded in the application. > > ~ Ofer > > -----Original Message----- > From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On > Behalf > Of Dinis Cruz > Sent: Thursday, March 07, 2013 12:46 AM > To: Nitin Vindhara > Cc: websecurity@lists.webappsec.org; Phil Gmail > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing > > If you have access to the source code of the target application, you should > also analyse it and extract data to feed to the web scanners (for example > all possible urls, form fields, web services, REST interfaces, etc) > > Dinis Cruz > > On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.com> wrote: > > > My experience with appscan is better then and webinspect. I mean in > > terms of identifying maximum vulnerabilities. > > > > However more number of false positive are reported by appscan. > > Accunetix is better in term of less false positive. > > > > Burp is semi automated, but good in finding some additional > vulnerability. > > It can be a additional scanner, but not the only one. > > Its main objective is as proxy not scanner. > > > > However support of webinspect and accunetix are found better. > > > > So depending of ur need and skill set you or your team have, decision > > has to be taken. > > > > Also this are my personal view, this can not be fool prove. > > > > Regards > > Nitin > > > > On 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: > >> "Web application scanners that provide trial licenses with limiters > >> like target domains can be circumvented by statically resolving their > >> target domain to an IP of your choosing on the environment that you > >> are running the scanner from." > >> > >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: > >> > >> From: Daniel Herrera <daherrera101@yahoo.com> > >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen > >> testing > >> To: "Zippy Zeppoli" <zippyzeppoli@gmail.com>, "Phil Gmail" > >> <phil@safewalls.net> > >> Cc: "websecurity@lists.webappsec.org" > >> <websecurity@lists.webappsec.org> > >> Date: Wednesday, March 6, 2013, 11:06 AM > >> > >> Sooo... web application scanners that provide trial licenses with > >> limiters like target domains can be circumvented by statically > >> resolving their target domain to an IP of your choosing on the > >> environment that you are running that application from. Note that > >> your target application must accept arbitrary "Host" header entries. > >> > >> Some interesting options to look into would be: > >> > >> Netsparker > >> http://www.mavitunasecurity.com/netsparker/ > >> > >> Websecurify > >> http://www.websecurify.com/suite > >> > >> Personally I don't put much faith in automated assessment utilities > >> both open and closed source. There are a lot of common flaws and > >> pitfalls that can negatively impact a scan and the quality of its > output. > >> > >> I always recommend that people move past the tools and dig into the > >> concepts themselves, unlike network interrogation which in my opinion > >> has a far more finite set of test cases, application interrogation is > >> very complex and difficult to do generically well across the myriad > >> of implementations people come up with daily... literally. All that > >> said, many of the paid solutions have been working on the problem for > >> a while and they set a decent bar, hybrid solutions like Whitehat > >> that provide managed scanning tend to perform better than their > unmanaged > counterparts in my opinion. > >> > >> /morning ramble > >> > >> I didn't see your original question to the list, so this is the best > >> answer I could provide within the context of what I saw. > >> > >> > >> D > >> > >> > >> > >> --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net> wrote: > >> > >> From: Phil Gmail <phil@safewalls.net> > >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen > >> testing > >> To: "Zippy Zeppoli" > >> <zippyzeppoli@gmail.com> > >> Cc: "websecurity@lists.webappsec.org" > >> <websecurity@lists.webappsec.org> > >> Date: Tuesday, March 5, 2013, 6:46 PM > >> > >> Id recommend Burp Pro, but it is not an automated tool. > >> Www.burpsuite.com > >> > >> Phil > >> Sent from iPhone > >> Twitter: @sec_prof > >> > >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com> wrote: > >> > >>> Hello, > >>> I am looking for a solution to do web application vulnerability > >>> scanning / testing. > >>> IBM's rational appscan seems like a good solution, and I've used it > >>> in the past. > >>> The only problem seems to be the IBM part. I'm trying to engage them > >>> for a trial license that doesn't only scan some useless webgoat, and > >>> test it on my own app. > >>> > >>> I'm getting kind of dismayed with the responsiveness, so I'm > >> wondering > >>> if there are better *commercial* solutions out there which are ready > >>> to go out of the box. > >>> I'd love to use open source tools, but I don't have the time to do > >>> the engineering part since I'm overburdened. > >>> > >>> Thanks for your tips. > >>> > >>> Z > >>> > >>> _______________________________________________ > >>> The Web Security Mailing List > >>> > >>> WebSecurity RSS Feed > >>> http://www.webappsec.org/rss/websecurity.rss > >>> > >>> Join WASC on LinkedIn > >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >>> > >>> WASC on Twitter > >>> http://twitter.com/wascupdates > >>> > >>> websecurity@lists.webappsec.org > >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp > >>> sec.org > >> > >> _______________________________________________ > >> The Web Security Mailing List > >> > >> WebSecurity RSS Feed > >> http://www.webappsec.org/rss/websecurity.rss > >> > >> Join WASC on LinkedIn > >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >> > >> WASC on Twitter > >> http://twitter.com/wascupdates > >> > >> websecurity@lists.webappsec.org > >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps > >> ec.org > >> > > > > > > -- > > Regards > > > > Nitin Vindhara > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse > > c.org > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

I'm optimizing and adding more strings to LFI / * Strings for traversal and file disclosure tests. Should the order not be changed * / in checks.h but not officially informed to the creators of the project, but I'll do that this weekend. + 50 new Strings LFI Sorry my bad english @firebitsbr 2013/3/7 Ofer Shezaf <ofer@shezaf.com> > Commercial scanners do that today, usually as part of their integration > with > a runtime element embedded in the application. > > ~ Ofer > > -----Original Message----- > From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On > Behalf > Of Dinis Cruz > Sent: Thursday, March 07, 2013 12:46 AM > To: Nitin Vindhara > Cc: websecurity@lists.webappsec.org; Phil Gmail > Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing > > If you have access to the source code of the target application, you should > also analyse it and extract data to feed to the web scanners (for example > all possible urls, form fields, web services, REST interfaces, etc) > > Dinis Cruz > > On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.com> wrote: > > > My experience with appscan is better then and webinspect. I mean in > > terms of identifying maximum vulnerabilities. > > > > However more number of false positive are reported by appscan. > > Accunetix is better in term of less false positive. > > > > Burp is semi automated, but good in finding some additional > vulnerability. > > It can be a additional scanner, but not the only one. > > Its main objective is as proxy not scanner. > > > > However support of webinspect and accunetix are found better. > > > > So depending of ur need and skill set you or your team have, decision > > has to be taken. > > > > Also this are my personal view, this can not be fool prove. > > > > Regards > > Nitin > > > > On 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: > >> "Web application scanners that provide trial licenses with limiters > >> like target domains can be circumvented by statically resolving their > >> target domain to an IP of your choosing on the environment that you > >> are running the scanner from." > >> > >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com> wrote: > >> > >> From: Daniel Herrera <daherrera101@yahoo.com> > >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen > >> testing > >> To: "Zippy Zeppoli" <zippyzeppoli@gmail.com>, "Phil Gmail" > >> <phil@safewalls.net> > >> Cc: "websecurity@lists.webappsec.org" > >> <websecurity@lists.webappsec.org> > >> Date: Wednesday, March 6, 2013, 11:06 AM > >> > >> Sooo... web application scanners that provide trial licenses with > >> limiters like target domains can be circumvented by statically > >> resolving their target domain to an IP of your choosing on the > >> environment that you are running that application from. Note that > >> your target application must accept arbitrary "Host" header entries. > >> > >> Some interesting options to look into would be: > >> > >> Netsparker > >> http://www.mavitunasecurity.com/netsparker/ > >> > >> Websecurify > >> http://www.websecurify.com/suite > >> > >> Personally I don't put much faith in automated assessment utilities > >> both open and closed source. There are a lot of common flaws and > >> pitfalls that can negatively impact a scan and the quality of its > output. > >> > >> I always recommend that people move past the tools and dig into the > >> concepts themselves, unlike network interrogation which in my opinion > >> has a far more finite set of test cases, application interrogation is > >> very complex and difficult to do generically well across the myriad > >> of implementations people come up with daily... literally. All that > >> said, many of the paid solutions have been working on the problem for > >> a while and they set a decent bar, hybrid solutions like Whitehat > >> that provide managed scanning tend to perform better than their > unmanaged > counterparts in my opinion. > >> > >> /morning ramble > >> > >> I didn't see your original question to the list, so this is the best > >> answer I could provide within the context of what I saw. > >> > >> > >> D > >> > >> > >> > >> --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net> wrote: > >> > >> From: Phil Gmail <phil@safewalls.net> > >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen > >> testing > >> To: "Zippy Zeppoli" > >> <zippyzeppoli@gmail.com> > >> Cc: "websecurity@lists.webappsec.org" > >> <websecurity@lists.webappsec.org> > >> Date: Tuesday, March 5, 2013, 6:46 PM > >> > >> Id recommend Burp Pro, but it is not an automated tool. > >> Www.burpsuite.com > >> > >> Phil > >> Sent from iPhone > >> Twitter: @sec_prof > >> > >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com> wrote: > >> > >>> Hello, > >>> I am looking for a solution to do web application vulnerability > >>> scanning / testing. > >>> IBM's rational appscan seems like a good solution, and I've used it > >>> in the past. > >>> The only problem seems to be the IBM part. I'm trying to engage them > >>> for a trial license that doesn't only scan some useless webgoat, and > >>> test it on my own app. > >>> > >>> I'm getting kind of dismayed with the responsiveness, so I'm > >> wondering > >>> if there are better *commercial* solutions out there which are ready > >>> to go out of the box. > >>> I'd love to use open source tools, but I don't have the time to do > >>> the engineering part since I'm overburdened. > >>> > >>> Thanks for your tips. > >>> > >>> Z > >>> > >>> _______________________________________________ > >>> The Web Security Mailing List > >>> > >>> WebSecurity RSS Feed > >>> http://www.webappsec.org/rss/websecurity.rss > >>> > >>> Join WASC on LinkedIn > >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >>> > >>> WASC on Twitter > >>> http://twitter.com/wascupdates > >>> > >>> websecurity@lists.webappsec.org > >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp > >>> sec.org > >> > >> _______________________________________________ > >> The Web Security Mailing List > >> > >> WebSecurity RSS Feed > >> http://www.webappsec.org/rss/websecurity.rss > >> > >> Join WASC on LinkedIn > >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >> > >> WASC on Twitter > >> http://twitter.com/wascupdates > >> > >> websecurity@lists.webappsec.org > >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps > >> ec.org > >> > > > > > > -- > > Regards > > > > Nitin Vindhara > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse > > c.org > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

I gave it a try. I SSHed to the first Unix machine I could find. I stared at the prompt. It stared at me. Alas, no application vulnerability surfaced out from the black surface. What you really say is that Unix + Andre is the best tool. I accept that. The only issue is that Andre is a very scarce resource (approximately 1 in 7 billion in the sample population). ~ Ofer From: Andre Gironda [mailto:andreg@gmail.com] Sent: Thursday, March 07, 2013 8:37 PM To: Ofer Shezaf Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing I like to pick up a new tool every time I need to do something with web apps or pen-testing. Or pick up a new way to write an HTTP client in a different language. Or parse HTML/JS/AS. Or especially to figure out what blobs of data are. Therefore, I have concluded that the best tool for web app scanning / pen testing is Unix. Any Unix or clone of Unix, or subset of Unix such as Cygwin. They'll all do. ;> dre On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer@shezaf.com <mailto:ofer@shezaf.com> > wrote: Commercial scanners do that today, usually as part of their integration with a runtime element embedded in the application. ~ Ofer -----Original Message----- From: websecurity [mailto:websecurity-bounces@lists.webappsec.org <mailto:websecurity-bounces@lists.webappsec.org> ] On Behalf Of Dinis Cruz Sent: Thursday, March 07, 2013 12:46 AM To: Nitin Vindhara Cc: websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> ; Phil Gmail Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing If you have access to the source code of the target application, you should also analyse it and extract data to feed to the web scanners (for example all possible urls, form fields, web services, REST interfaces, etc) Dinis Cruz On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.com <mailto:nitin.vindhara@gmail.com> > wrote: > My experience with appscan is better then and webinspect. I mean in > terms of identifying maximum vulnerabilities. > > However more number of false positive are reported by appscan. > Accunetix is better in term of less false positive. > > Burp is semi automated, but good in finding some additional vulnerability. > It can be a additional scanner, but not the only one. > Its main objective is as proxy not scanner. > > However support of webinspect and accunetix are found better. > > So depending of ur need and skill set you or your team have, decision > has to be taken. > > Also this are my personal view, this can not be fool prove. > > Regards > Nitin > > On 3/6/13, Daniel Herrera <daherrera101@yahoo.com <mailto:daherrera101@yahoo.com> > wrote: >> "Web application scanners that provide trial licenses with limiters >> like target domains can be circumvented by statically resolving their >> target domain to an IP of your choosing on the environment that you >> are running the scanner from." >> >> --- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com <mailto:daherrera101@yahoo.com> > wrote: >> >> From: Daniel Herrera <daherrera101@yahoo.com <mailto:daherrera101@yahoo.com> > >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen >> testing >> To: "Zippy Zeppoli" <zippyzeppoli@gmail.com <mailto:zippyzeppoli@gmail.com> >, "Phil Gmail" >> <phil@safewalls.net <mailto:phil@safewalls.net> > >> Cc: "websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> " >> <websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> > >> Date: Wednesday, March 6, 2013, 11:06 AM >> >> Sooo... web application scanners that provide trial licenses with >> limiters like target domains can be circumvented by statically >> resolving their target domain to an IP of your choosing on the >> environment that you are running that application from. Note that >> your target application must accept arbitrary "Host" header entries. >> >> Some interesting options to look into would be: >> >> Netsparker >> http://www.mavitunasecurity.com/netsparker/ >> >> Websecurify >> http://www.websecurify.com/suite >> >> Personally I don't put much faith in automated assessment utilities >> both open and closed source. There are a lot of common flaws and >> pitfalls that can negatively impact a scan and the quality of its output. >> >> I always recommend that people move past the tools and dig into the >> concepts themselves, unlike network interrogation which in my opinion >> has a far more finite set of test cases, application interrogation is >> very complex and difficult to do generically well across the myriad >> of implementations people come up with daily... literally. All that >> said, many of the paid solutions have been working on the problem for >> a while and they set a decent bar, hybrid solutions like Whitehat >> that provide managed scanning tend to perform better than their unmanaged counterparts in my opinion. >> >> /morning ramble >> >> I didn't see your original question to the list, so this is the best >> answer I could provide within the context of what I saw. >> >> >> D >> >> >> >> --- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net <mailto:phil@safewalls.net> > wrote: >> >> From: Phil Gmail <phil@safewalls.net <mailto:phil@safewalls.net> > >> Subject: Re: [WEB SECURITY] best tool for web app scanning / pen >> testing >> To: "Zippy Zeppoli" >> <zippyzeppoli@gmail.com <mailto:zippyzeppoli@gmail.com> > >> Cc: "websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> " >> <websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> > >> Date: Tuesday, March 5, 2013, 6:46 PM >> >> Id recommend Burp Pro, but it is not an automated tool. >> Www.burpsuite.com <http://Www.burpsuite.com> >> >> Phil >> Sent from iPhone >> Twitter: @sec_prof >> >> On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com <mailto:zippyzeppoli@gmail.com> > wrote: >> >>> Hello, >>> I am looking for a solution to do web application vulnerability >>> scanning / testing. >>> IBM's rational appscan seems like a good solution, and I've used it >>> in the past. >>> The only problem seems to be the IBM part. I'm trying to engage them >>> for a trial license that doesn't only scan some useless webgoat, and >>> test it on my own app. >>> >>> I'm getting kind of dismayed with the responsiveness, so I'm >> wondering >>> if there are better *commercial* solutions out there which are ready >>> to go out of the box. >>> I'd love to use open source tools, but I don't have the time to do >>> the engineering part since I'm overburdened. >>> >>> Thanks for your tips. >>> >>> Z >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn >>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp >>> sec.org <http://sec.org> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps >> ec.org <http://ec.org> >> > > > -- > Regards > > Nitin Vindhara > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse > c.org <http://c.org> _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Classic buy vs build. Advantages to both. Not against open source. On Wed, Mar 6, 2013 at 3:31 AM, psiinon <psiinon@gmail.com> wrote: > Hi Zippy, > > I'm intrigued by your reluctance to use open source tools. > You seem to want a simple solution that just works out of the box. > I'd be surprised if you can find anything like that - I think all web app > scanners (commercial and open source) need some configuration to get the > most out of them. > > I cant talk for any other tools, but ZAP is easy to install, and you can > perform a 'quick' scan by just entering a URL and pressing a button. > However you will need to perform more configuration in order to handle > authentication and tune to ZAP to work as effectively as possible with your > apps. > Not sure if you count that as 'engineering' ;) > If you do decide to give it a go you'll hopefully find that if you do have > any problems then any questions asked on our user group will get quick and > useful replies:) > > Cheers, > > Simon (ZAP project lead) > > > > On Wed, Mar 6, 2013 at 9:20 AM, Vernon Jones <Vernon.Jones@derivco.com> > wrote: >> >> Hey Z >> >> >> For commercial tools you can try one of the following >> >> H Fortify Web inspect - >> http://www8.hp.com/us/en/software-solutions/software.html?compURI=1341991 >> >> Acunetix - www.acunetix.com >> >> >> For Open source you can try one of the following >> >> OWASP ZED Proxy with build in Scanner for OWASP top 10 - >> https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project >> >> >> CAT Proxy - http://www.contextis.com/research/tools/cat/ >> >> Hope this helps dude >> >> V >> >> >> -----Original Message----- >> From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On >> Behalf Of Zippy Zeppoli >> Sent: 06 March 2013 03:54 AM >> To: websecurity@lists.webappsec.org >> Subject: [WEB SECURITY] best tool for web app scanning / pen testing >> >> Hello, >> I am looking for a solution to do web application vulnerability scanning / >> testing. >> IBM's rational appscan seems like a good solution, and I've used it in the >> past. >> The only problem seems to be the IBM part. I'm trying to engage them for a >> trial license that doesn't only scan some useless webgoat, and test it on my >> own app. >> >> I'm getting kind of dismayed with the responsiveness, so I'm wondering if >> there are better *commercial* solutions out there which are ready to go out >> of the box. >> I'd love to use open source tools, but I don't have the time to do the >> engineering part since I'm overburdened. >> >> Thanks for your tips. >> >> Z >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> ############################################################################################# >> The information transmitted is intended only for the person or entity to >> which it >> is addressed and may contain confidential and/or privileged material. >> Any review, retransmission, dissemination or other use of, or taking of >> any action >> in reliance upon, this information by persons or entities other than the >> intended >> recipient is prohibited. If you received this in error, please contact the >> sender and >> delete the material from any computer. >> >> Furthermore, the information contained in this message, and any >> attachments thereto, is >> for information purposes only and may contain the personal views and >> opinions of the >> author, which are not necessarily the views and opinions of the company. >> >> ############################################################################################# >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > -- > OWASP ZAP Project leader