Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the
start. You'd have to install Powershell to get anything equivalent on
Windows, unless you were already a developer who had your own HTTP/TLS
clients written in a certain language, such as .NET (which could also be
ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing
platforms, especially built around Unix platforms. During a pen test, it's
about combining those things together -- to which I haven't seen a good
commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the
Enterprise workflow for application security risk management purposes. For
example, I like to get all of my findings into Burp Suite Professional so
that I can submit them to Fortify Software Security Center. Note that I
work for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen
for HP or any company uses only those tools. I am literally saying here
that all tools are relevant and have purpose when dealing with appsec. If
you want to present your findings to an information security team,
directors, or C-level executives trying to make decisions around appsec
risk management issues, then there are few commercial portal offerings to
aid in that effort. Application security risk management portals are
critical path to instill inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what
skillsets do you need to find the issues and can those skills match up to
the requirements necessary to report/understand/mediate those issues?". The
answer to the skillsets is usually either a Unix person, or an appdev who
has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
Would you say it's easier to find/educate a Unix person or a
specific-domain appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf ofer@shezaf.com wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared
at the prompt. It stared at me. Alas, no application vulnerability surfaced
out from the black surface.****
What you really say is that Unix + Andre is the best tool. I accept that.
The only issue is that Andre is a very scarce resource (approximately 1 in
7 billion in the sample population).****
~ Ofer****
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil
Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web
apps or pen-testing. Or pick up a new way to write an HTTP client in a
different language. Or parse HTML/JS/AS. Or especially to figure out what
blobs of data are.****
Therefore, I have concluded that the best tool for web app scanning / pen
testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
Cygwin. They'll all do. ;>****
dre****
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf ofer@shezaf.com wrote:****
Commercial scanners do that today, usually as part of their integration
with
a runtime element embedded in the application.
~ Ofer****
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On
Behalf****
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara nitin.vindhara@gmail.com wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional
vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail"
phil@safewalls.net
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its
output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their
unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:
From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Metasploit supports Windows plataform.
https://community.rapid7.com/message/1346#1346
Att.,
Samuel Riesz
De: websecurity [websecurity-bounces@lists.webappsec.org] em nome de Andre Gironda [andreg@gmail.com]
Enviado: quinta-feira, 7 de março de 2013 17:28
Para: Ofer Shezaf
Cc: websecurity@lists.webappsec.org; Phil Gmail
Assunto: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the start. You'd have to install Powershell to get anything equivalent on Windows, unless you were already a developer who had your own HTTP/TLS clients written in a certain language, such as .NET (which could also be ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing platforms, especially built around Unix platforms. During a pen test, it's about combining those things together -- to which I haven't seen a good commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the Enterprise workflow for application security risk management purposes. For example, I like to get all of my findings into Burp Suite Professional so that I can submit them to Fortify Software Security Center. Note that I work for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen for HP or any company uses only those tools. I am literally saying here that all tools are relevant and have purpose when dealing with appsec. If you want to present your findings to an information security team, directors, or C-level executives trying to make decisions around appsec risk management issues, then there are few commercial portal offerings to aid in that effort. Application security risk management portals are critical path to instill inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what skillsets do you need to find the issues and can those skills match up to the requirements necessary to report/understand/mediate those issues?". The answer to the skillsets is usually either a Unix person, or an appdev who has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers. Would you say it's easier to find/educate a Unix person or a specific-domain appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer@shezaf.commailto:ofer@shezaf.com> wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared at the prompt. It stared at me. Alas, no application vulnerability surfaced out from the black surface.
What you really say is that Unix + Andre is the best tool. I accept that. The only issue is that Andre is a very scarce resource (approximately 1 in 7 billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.commailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web apps or pen-testing. Or pick up a new way to write an HTTP client in a different language. Or parse HTML/JS/AS. Or especially to figure out what blobs of data are.
Therefore, I have concluded that the best tool for web app scanning / pen testing is Unix. Any Unix or clone of Unix, or subset of Unix such as Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer@shezaf.commailto:ofer@shezaf.com> wrote:
Commercial scanners do that today, usually as part of their integration with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.orgmailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.commailto:nitin.vindhara@gmail.com> wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera <daherrera101@yahoo.commailto:daherrera101@yahoo.com> wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.commailto:daherrera101@yahoo.com> wrote:
From: Daniel Herrera <daherrera101@yahoo.commailto:daherrera101@yahoo.com>
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" <zippyzeppoli@gmail.commailto:zippyzeppoli@gmail.com>, "Phil Gmail"
<phil@safewalls.netmailto:phil@safewalls.net>
Cc: "websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org"
<websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org>
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail <phil@safewalls.netmailto:phil@safewalls.net> wrote:
From: Phil Gmail <phil@safewalls.netmailto:phil@safewalls.net>
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
<zippyzeppoli@gmail.commailto:zippyzeppoli@gmail.com>
Cc: "websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org"
<websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org>
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.comhttp://Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.commailto:zippyzeppoli@gmail.com> wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.orghttp://sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.orghttp://ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.orghttp://c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.orgmailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Esta mensagem foi verificada pelo sistema de antivirus e
acredita-se estar livre de perigo.
--
Esta mensagem foi verificada pelo sistema de antivirus e
acredita-se estar livre de perigo.
Humor aside, I think we are very much in agreement. Even the best of tools
will not replace humans.
The issue is that I think tools should be evaluated, at least in most cases,
based on how they empower the average and not very experienced app sec guy
rather than how lethal they are in the hand of the master.
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 10:28 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the
start. You'd have to install Powershell to get anything equivalent on
Windows, unless you were already a developer who had your own HTTP/TLS
clients written in a certain language, such as .NET (which could also be
ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing
platforms, especially built around Unix platforms. During a pen test, it's
about combining those things together -- to which I haven't seen a good
commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the
Enterprise workflow for application security risk management purposes. For
example, I like to get all of my findings into Burp Suite Professional so
that I can submit them to Fortify Software Security Center. Note that I work
for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen for
HP or any company uses only those tools. I am literally saying here that all
tools are relevant and have purpose when dealing with appsec. If you want to
present your findings to an information security team, directors, or C-level
executives trying to make decisions around appsec risk management issues,
then there are few commercial portal offerings to aid in that effort.
Application security risk management portals are critical path to instill
inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what
skillsets do you need to find the issues and can those skills match up to
the requirements necessary to report/understand/mediate those issues?". The
answer to the skillsets is usually either a Unix person, or an appdev who
has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
Would you say it's easier to find/educate a Unix person or a specific-domain
appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf <ofer@shezaf.com
mailto:ofer@shezaf.com > wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared at
the prompt. It stared at me. Alas, no application vulnerability surfaced out
from the black surface.
What you really say is that Unix + Andre is the best tool. I accept that.
The only issue is that Andre is a very scarce resource (approximately 1 in 7
billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com mailto:andreg@gmail.com ]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org
mailto:websecurity@lists.webappsec.org ; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web apps
or pen-testing. Or pick up a new way to write an HTTP client in a different
language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
data are.
Therefore, I have concluded that the best tool for web app scanning / pen
testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf <ofer@shezaf.com
mailto:ofer@shezaf.com > wrote:
Commercial scanners do that today, usually as part of their integration with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org
mailto:websecurity-bounces@lists.webappsec.org ] On Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara <nitin.vindhara@gmail.com
mailto:nitin.vindhara@gmail.com > wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera <daherrera101@yahoo.com
mailto:daherrera101@yahoo.com > wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera <daherrera101@yahoo.com
mailto:daherrera101@yahoo.com > wrote:
From: Daniel Herrera <daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" <zippyzeppoli@gmail.com
mailto:zippyzeppoli@gmail.com >, "Phil Gmail"
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail <phil@safewalls.net
mailto:phil@safewalls.net > wrote:
From: Phil Gmail <phil@safewalls.net mailto:phil@safewalls.net >
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
<zippyzeppoli@gmail.com mailto:zippyzeppoli@gmail.com >
Cc: "websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com http://Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli <zippyzeppoli@gmail.com
mailto:zippyzeppoli@gmail.com > wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org http://ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org http://c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Every once in a while someone posts this questions about "best tool for web app scanning" and we as a community get into the same kind of discussion only to agree to agree or agree to disagree at the end.
I don't believe any of this helps the person asking the question by whatever intent possible. If anything, the technological gibberish (pardon me) only adds to more FUD around the mind of someone trying to get a straight answer to a straightforward question.
/evening rant
PS
On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" ofer@shezaf.com wrote:
Humor aside, I think we are very much in agreement. Even the best of tools will not replace humans.
The issue is that I think tools should be evaluated, at least in most cases, based on how they empower the average and not very experienced app sec guy rather than how lethal they are in the hand of the master.
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 10:28 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the start. You'd have to install Powershell to get anything equivalent on Windows, unless you were already a developer who had your own HTTP/TLS clients written in a certain language, such as .NET (which could also be ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing platforms, especially built around Unix platforms. During a pen test, it's about combining those things together -- to which I haven't seen a good commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the Enterprise workflow for application security risk management purposes. For example, I like to get all of my findings into Burp Suite Professional so that I can submit them to Fortify Software Security Center. Note that I work for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen for HP or any company uses only those tools. I am literally saying here that all tools are relevant and have purpose when dealing with appsec. If you want to present your findings to an information security team, directors, or C-level executives trying to make decisions around appsec risk management issues, then there are few commercial portal offerings to aid in that effort. Application security risk management portals are critical path to instill inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what skillsets do you need to find the issues and can those skills match up to the requirements necessary to report/understand/mediate those issues?". The answer to the skillsets is usually either a Unix person, or an appdev who has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers. Would you say it's easier to find/educate a Unix person or a specific-domain appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf ofer@shezaf.com wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared at the prompt. It stared at me. Alas, no application vulnerability surfaced out from the black surface.
What you really say is that Unix + Andre is the best tool. I accept that. The only issue is that Andre is a very scarce resource (approximately 1 in 7 billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web apps or pen-testing. Or pick up a new way to write an HTTP client in a different language. Or parse HTML/JS/AS. Or especially to figure out what blobs of data are.
Therefore, I have concluded that the best tool for web app scanning / pen testing is Unix. Any Unix or clone of Unix, or subset of Unix such as Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf ofer@shezaf.com wrote:
Commercial scanners do that today, usually as part of their integration with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara nitin.vindhara@gmail.com wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail"
phil@safewalls.net
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:
From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Check this:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Every once in a while someone posts this questions about "best tool for web
app scanning" and we as a community get into the same kind of discussion
only to agree to agree or agree to disagree at the end.
I don't believe any of this helps the person asking the question by whatever
intent possible. If anything, the technological gibberish (pardon me) only
adds to more FUD around the mind of someone trying to get a straight answer
to a straightforward question.
/evening rant
PS
On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" ofer@shezaf.com wrote:
Humor aside, I think we are very much in agreement. Even the best of tools
will not replace humans.
The issue is that I think tools should be evaluated, at least in most cases,
based on how they empower the average and not very experienced app sec guy
rather than how lethal they are in the hand of the master.
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 10:28 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the
start. You'd have to install Powershell to get anything equivalent on
Windows, unless you were already a developer who had your own HTTP/TLS
clients written in a certain language, such as .NET (which could also be
ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing
platforms, especially built around Unix platforms. During a pen test, it's
about combining those things together -- to which I haven't seen a good
commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the
Enterprise workflow for application security risk management purposes. For
example, I like to get all of my findings into Burp Suite Professional so
that I can submit them to Fortify Software Security Center. Note that I work
for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen for
HP or any company uses only those tools. I am literally saying here that all
tools are relevant and have purpose when dealing with appsec. If you want to
present your findings to an information security team, directors, or C-level
executives trying to make decisions around appsec risk management issues,
then there are few commercial portal offerings to aid in that effort.
Application security risk management portals are critical path to instill
inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what
skillsets do you need to find the issues and can those skills match up to
the requirements necessary to report/understand/mediate those issues?". The
answer to the skillsets is usually either a Unix person, or an appdev who
has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
Would you say it's easier to find/educate a Unix person or a specific-domain
appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf ofer@shezaf.com wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared at
the prompt. It stared at me. Alas, no application vulnerability surfaced out
from the black surface.
What you really say is that Unix + Andre is the best tool. I accept that.
The only issue is that Andre is a very scarce resource (approximately 1 in 7
billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web apps
or pen-testing. Or pick up a new way to write an HTTP client in a different
language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
data are.
Therefore, I have concluded that the best tool for web app scanning / pen
testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf ofer@shezaf.com wrote:
Commercial scanners do that today, usually as part of their integration with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara nitin.vindhara@gmail.com wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail"
phil@safewalls.net
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:
From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thanks! I am sure Zippy will find this helpful.
PS
On Mar 7, 2013, at 9:25 PM, The Dead th3d34d@gmail.com wrote:
Check this:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Every once in a while someone posts this questions about "best tool for web
app scanning" and we as a community get into the same kind of discussion
only to agree to agree or agree to disagree at the end.
I don't believe any of this helps the person asking the question by whatever
intent possible. If anything, the technological gibberish (pardon me) only
adds to more FUD around the mind of someone trying to get a straight answer
to a straightforward question.
/evening rant
PS
On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" ofer@shezaf.com wrote:
Humor aside, I think we are very much in agreement. Even the best of tools
will not replace humans.
The issue is that I think tools should be evaluated, at least in most cases,
based on how they empower the average and not very experienced app sec guy
rather than how lethal they are in the hand of the master.
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 10:28 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the
start. You'd have to install Powershell to get anything equivalent on
Windows, unless you were already a developer who had your own HTTP/TLS
clients written in a certain language, such as .NET (which could also be
ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing
platforms, especially built around Unix platforms. During a pen test, it's
about combining those things together -- to which I haven't seen a good
commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the
Enterprise workflow for application security risk management purposes. For
example, I like to get all of my findings into Burp Suite Professional so
that I can submit them to Fortify Software Security Center. Note that I work
for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen for
HP or any company uses only those tools. I am literally saying here that all
tools are relevant and have purpose when dealing with appsec. If you want to
present your findings to an information security team, directors, or C-level
executives trying to make decisions around appsec risk management issues,
then there are few commercial portal offerings to aid in that effort.
Application security risk management portals are critical path to instill
inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what
skillsets do you need to find the issues and can those skills match up to
the requirements necessary to report/understand/mediate those issues?". The
answer to the skillsets is usually either a Unix person, or an appdev who
has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
Would you say it's easier to find/educate a Unix person or a specific-domain
appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf ofer@shezaf.com wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared at
the prompt. It stared at me. Alas, no application vulnerability surfaced out
from the black surface.
What you really say is that Unix + Andre is the best tool. I accept that.
The only issue is that Andre is a very scarce resource (approximately 1 in 7
billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web apps
or pen-testing. Or pick up a new way to write an HTTP client in a different
language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
data are.
Therefore, I have concluded that the best tool for web app scanning / pen
testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf ofer@shezaf.com wrote:
Commercial scanners do that today, usually as part of their integration with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara nitin.vindhara@gmail.com wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail"
phil@safewalls.net
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:
From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Security tools benchmarking
this may help
http://sectooladdict.blogspot.in/2011/08/commercial-web-application-scanner.html
Regards,
Sheik Nizamuddin
On Fri, Mar 8, 2013 at 8:05 AM, Prasad Shenoy prasad.shenoy@gmail.comwrote:
Thanks! I am sure Zippy will find this helpful.
PS
On Mar 7, 2013, at 9:25 PM, The Dead th3d34d@gmail.com wrote:
Check this:
On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy prasad.shenoy@gmail.com
wrote:
Every once in a while someone posts this questions about "best tool for
web
app scanning" and we as a community get into the same kind of discussion
only to agree to agree or agree to disagree at the end.
I don't believe any of this helps the person asking the question by
whatever
intent possible. If anything, the technological gibberish (pardon me)
only
adds to more FUD around the mind of someone trying to get a straight
answer
to a straightforward question.
/evening rant
PS
On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" ofer@shezaf.com wrote:
Humor aside, I think we are very much in agreement. Even the best of
tools
will not replace humans.
The issue is that I think tools should be evaluated, at least in most
cases,
based on how they empower the average and not very experienced app sec
guy
rather than how lethal they are in the hand of the master.
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 10:28 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil
Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the
start. You'd have to install Powershell to get anything equivalent on
Windows, unless you were already a developer who had your own HTTP/TLS
clients written in a certain language, such as .NET (which could also be
ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the
dominant
pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing
platforms, especially built around Unix platforms. During a pen test,
it's
about combining those things together -- to which I haven't seen a good
commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the
Enterprise workflow for application security risk management purposes.
For
example, I like to get all of my findings into Burp Suite Professional
so
that I can submit them to Fortify Software Security Center. Note that I
work
for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app
pen for
HP or any company uses only those tools. I am literally saying here
that all
tools are relevant and have purpose when dealing with appsec. If you
want to
present your findings to an information security team, directors, or
C-level
executives trying to make decisions around appsec risk management
issues,
then there are few commercial portal offerings to aid in that effort.
Application security risk management portals are critical path to
instill
inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what
skillsets do you need to find the issues and can those skills match up
to
the requirements necessary to report/understand/mediate those issues?".
The
answer to the skillsets is usually either a Unix person, or an appdev
who
has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
Would you say it's easier to find/educate a Unix person or a
specific-domain
appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf ofer@shezaf.com wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I
stared at
the prompt. It stared at me. Alas, no application vulnerability
surfaced out
from the black surface.
What you really say is that Unix + Andre is the best tool. I accept
that.
The only issue is that Andre is a very scarce resource (approximately 1
in 7
billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil
Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web
apps
or pen-testing. Or pick up a new way to write an HTTP client in a
different
language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
data are.
Therefore, I have concluded that the best tool for web app scanning /
pen
testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf ofer@shezaf.com wrote:
Commercial scanners do that today, usually as part of their integration
with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On
Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you
should
also analyse it and extract data to feed to the web scanners (for
example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara nitin.vindhara@gmail.com
wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional
vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail"
phil@safewalls.net
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its
output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their
unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:
From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com
wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Thanks for that one.
On Thu, Mar 7, 2013 at 6:25 PM, The Dead th3d34d@gmail.com wrote:
Check this:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
On Thu, Mar 7, 2013 at 6:31 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Every once in a while someone posts this questions about "best tool for web
app scanning" and we as a community get into the same kind of discussion
only to agree to agree or agree to disagree at the end.
I don't believe any of this helps the person asking the question by whatever
intent possible. If anything, the technological gibberish (pardon me) only
adds to more FUD around the mind of someone trying to get a straight answer
to a straightforward question.
/evening rant
PS
On Mar 7, 2013, at 3:45 PM, "Ofer Shezaf" ofer@shezaf.com wrote:
Humor aside, I think we are very much in agreement. Even the best of tools
will not replace humans.
The issue is that I think tools should be evaluated, at least in most cases,
based on how they empower the average and not very experienced app sec guy
rather than how lethal they are in the hand of the master.
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 10:28 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
Ofer,
It's just that most Unixes come with either wget or curl right from the
start. You'd have to install Powershell to get anything equivalent on
Windows, unless you were already a developer who had your own HTTP/TLS
clients written in a certain language, such as .NET (which could also be
ported to Unix with Mono).
Metasploit requires Unix (or Cygwin when on Windows), and it's the dominant
pen testing platform across the world. How could you say it's just me?
There are many open-source tools, libraries, frameworks, and testing
platforms, especially built around Unix platforms. During a pen test, it's
about combining those things together -- to which I haven't seen a good
commercial library or framework in the web app pen space.
There are some commercial tools that can be used by pen-testers in the
Enterprise workflow for application security risk management purposes. For
example, I like to get all of my findings into Burp Suite Professional so
that I can submit them to Fortify Software Security Center. Note that I work
for HP, so I may come across Fortify SSC more often than this audience.
By no means should you assume that myself or anyone who does web app pen for
HP or any company uses only those tools. I am literally saying here that all
tools are relevant and have purpose when dealing with appsec. If you want to
present your findings to an information security team, directors, or C-level
executives trying to make decisions around appsec risk management issues,
then there are few commercial portal offerings to aid in that effort.
Application security risk management portals are critical path to instill
inside a large-installation organization.
In other words, it's not "which tools" you need "to buy", but more "what
skillsets do you need to find the issues and can those skills match up to
the requirements necessary to report/understand/mediate those issues?". The
answer to the skillsets is usually either a Unix person, or an appdev who
has written their own HTTP/TLS clients and XML/JSON/HTML/JS/AS parsers.
Would you say it's easier to find/educate a Unix person or a specific-domain
appdev?
dre
On Thu, Mar 7, 2013 at 12:42 PM, Ofer Shezaf ofer@shezaf.com wrote:
I gave it a try. I SSHed to the first Unix machine I could find. I stared at
the prompt. It stared at me. Alas, no application vulnerability surfaced out
from the black surface.
What you really say is that Unix + Andre is the best tool. I accept that.
The only issue is that Andre is a very scarce resource (approximately 1 in 7
billion in the sample population).
~ Ofer
From: Andre Gironda [mailto:andreg@gmail.com]
Sent: Thursday, March 07, 2013 8:37 PM
To: Ofer Shezaf
Cc: Dinis Cruz; Nitin Vindhara; websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
I like to pick up a new tool every time I need to do something with web apps
or pen-testing. Or pick up a new way to write an HTTP client in a different
language. Or parse HTML/JS/AS. Or especially to figure out what blobs of
data are.
Therefore, I have concluded that the best tool for web app scanning / pen
testing is Unix. Any Unix or clone of Unix, or subset of Unix such as
Cygwin. They'll all do. ;>
dre
On Wed, Mar 6, 2013 at 11:02 PM, Ofer Shezaf ofer@shezaf.com wrote:
Commercial scanners do that today, usually as part of their integration with
a runtime element embedded in the application.
~ Ofer
-----Original Message-----
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of Dinis Cruz
Sent: Thursday, March 07, 2013 12:46 AM
To: Nitin Vindhara
Cc: websecurity@lists.webappsec.org; Phil Gmail
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen testing
If you have access to the source code of the target application, you should
also analyse it and extract data to feed to the web scanners (for example
all possible urls, form fields, web services, REST interfaces, etc)
Dinis Cruz
On 6 Mar 2013, at 19:55, Nitin Vindhara nitin.vindhara@gmail.com wrote:
My experience with appscan is better then and webinspect. I mean in
terms of identifying maximum vulnerabilities.
However more number of false positive are reported by appscan.
Accunetix is better in term of less false positive.
Burp is semi automated, but good in finding some additional vulnerability.
It can be a additional scanner, but not the only one.
Its main objective is as proxy not scanner.
However support of webinspect and accunetix are found better.
So depending of ur need and skill set you or your team have, decision
has to be taken.
Also this are my personal view, this can not be fool prove.
Regards
Nitin
On 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
"Web application scanners that provide trial licenses with limiters
like target domains can be circumvented by statically resolving their
target domain to an IP of your choosing on the environment that you
are running the scanner from."
--- On Wed, 3/6/13, Daniel Herrera daherrera101@yahoo.com wrote:
From: Daniel Herrera daherrera101@yahoo.com
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli" zippyzeppoli@gmail.com, "Phil Gmail"
phil@safewalls.net
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Wednesday, March 6, 2013, 11:06 AM
Sooo... web application scanners that provide trial licenses with
limiters like target domains can be circumvented by statically
resolving their target domain to an IP of your choosing on the
environment that you are running that application from. Note that
your target application must accept arbitrary "Host" header entries.
Some interesting options to look into would be:
Netsparker
http://www.mavitunasecurity.com/netsparker/
Websecurify
http://www.websecurify.com/suite
Personally I don't put much faith in automated assessment utilities
both open and closed source. There are a lot of common flaws and
pitfalls that can negatively impact a scan and the quality of its output.
I always recommend that people move past the tools and dig into the
concepts themselves, unlike network interrogation which in my opinion
has a far more finite set of test cases, application interrogation is
very complex and difficult to do generically well across the myriad
of implementations people come up with daily... literally. All that
said, many of the paid solutions have been working on the problem for
a while and they set a decent bar, hybrid solutions like Whitehat
that provide managed scanning tend to perform better than their unmanaged
counterparts in my opinion.
/morning ramble
I didn't see your original question to the list, so this is the best
answer I could provide within the context of what I saw.
D
--- On Tue, 3/5/13, Phil Gmail phil@safewalls.net wrote:
From: Phil Gmail phil@safewalls.net
Subject: Re: [WEB SECURITY] best tool for web app scanning / pen
testing
To: "Zippy Zeppoli"
zippyzeppoli@gmail.com
Cc: "websecurity@lists.webappsec.org"
websecurity@lists.webappsec.org
Date: Tuesday, March 5, 2013, 6:46 PM
Id recommend Burp Pro, but it is not an automated tool.
Www.burpsuite.com
Phil
Sent from iPhone
Twitter: @sec_prof
On Mar 5, 2013, at 17:53, Zippy Zeppoli zippyzeppoli@gmail.com wrote:
Hello,
I am looking for a solution to do web application vulnerability
scanning / testing.
IBM's rational appscan seems like a good solution, and I've used it
in the past.
The only problem seems to be the IBM part. I'm trying to engage them
for a trial license that doesn't only scan some useless webgoat, and
test it on my own app.
I'm getting kind of dismayed with the responsiveness, so I'm
wondering
if there are better commercial solutions out there which are ready
to go out of the box.
I'd love to use open source tools, but I don't have the time to do
the engineering part since I'm overburdened.
Thanks for your tips.
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapp
sec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps
ec.org
--
Regards
Nitin Vindhara
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse
c.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org