open source web app scanners
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
Hello Zippy,
If you're evaluating a scanner you should be aware of some of their
limitations. I wrote an article several years back that may be of
interest.
Challenges faced by automated web application security assessment tools
http://www.cgisecurity.com/scannerchallenges.html
Regards,
- Robert A.
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org/
http://www.cgisecurity.com/
http://www.qasec.com/
On Thu, 28 Jun 2012, Taras wrote:
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
w3af is a good scanner and from a methodology standpoint checks all the boxes but I've had major stability issues in the past. I hardly ever use it anymore because it seems to crash right after it finds something useful. Lost way too much time re-scanning. If the stability issues were ever resolved I'd probably drop all my commercial (web) tools other than Burp.
--
Tony
http://sentinel24.com/blog/
From: Taras oxdef@oxdef.info
To: Zippy Zeppoli zippyzeppoli@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Thursday, June 28, 2012 2:02 PM
Subject: Re: [WEB SECURITY] open source web app scanners
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Awesome. Thank you all. I wonder which tools are best for automating? For
example integrating into selenium tests, jenkins, etc.
On Thu, Jun 28, 2012 at 2:17 PM, Tony Turner tony_l_turner@yahoo.comwrote:
w3af is a good scanner and from a methodology standpoint checks all the
boxes but I've had major stability issues in the past. I hardly ever use it
anymore because it seems to crash right after it finds something useful.
Lost way too much time re-scanning. If the stability issues were ever
resolved I'd probably drop all my commercial (web) tools other than Burp.
--
Tony
http://sentinel24.com/blog/
From: Taras oxdef@oxdef.info
To: Zippy Zeppoli zippyzeppoli@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Thursday, June 28, 2012 2:02 PM
Subject: Re: [WEB SECURITY] open source web app scanners
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
One of my users asked me the same thing recently:
https://gist.github.com/2960625
If that's the sort of thing you need then give it a shot but beware,
this only works with the experimental branch which is...experimental.
Cheers
On 06/29/2012 12:25 AM, Zippy Zeppoli wrote:
Awesome. Thank you all. I wonder which tools are best for automating?
For example integrating into selenium tests, jenkins, etc.
On Thu, Jun 28, 2012 at 2:17 PM, Tony Turner <tony_l_turner@yahoo.com
mailto:tony_l_turner@yahoo.com> wrote:
w3af is a good scanner and from a methodology standpoint checks all
the boxes but I've had major stability issues in the past. I hardly
ever use it anymore because it seems to crash right after it finds
something useful. Lost way too much time re-scanning. If the
stability issues were ever resolved I'd probably drop all my
commercial (web) tools other than Burp.
--
Tony
http://sentinel24.com/blog/
------------------------------------------------------------------------
*From:* Taras <oxdef@oxdef.info <mailto:oxdef@oxdef.info>>
*To:* Zippy Zeppoli <zippyzeppoli@gmail.com
<mailto:zippyzeppoli@gmail.com>>
*Cc:* websecurity@lists.webappsec.org
<mailto:websecurity@lists.webappsec.org>
*Sent:* Thursday, June 28, 2012 2:02 PM
*Subject:* Re: [WEB SECURITY] open source web app scanners
Zippy,
There is good list of web app scanners on sectools.org
<http://sectools.org/> [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational
AppScan.
I've come across some tools in the OWASP project but they don't
even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I'm not in a position to say which tools are best, as I'm somewhat biased!
But I would recommend you check out the OWASP Zed Attack Proxy (ZAP) -
I've documented how you can use ZAP for integrating with tools like
Selenium as well as recorded a video about it - all linked off here:
http://code.google.com/p/zaproxy/wiki/SecRegTests
Cheers,
Simon (ZAP Project Lead)
On Thu, Jun 28, 2012 at 10:25 PM, Zippy Zeppoli zippyzeppoli@gmail.com wrote:
Awesome. Thank you all. I wonder which tools are best for automating? For example integrating into selenium tests, jenkins, etc.
On Thu, Jun 28, 2012 at 2:17 PM, Tony Turner tony_l_turner@yahoo.com wrote:
w3af is a good scanner and from a methodology standpoint checks all the boxes but I've had major stability issues in the past. I hardly ever use it anymore because it seems to crash right after it finds something useful. Lost way too much time re-scanning. If the stability issues were ever resolved I'd probably drop all my commercial (web) tools other than Burp.
--
Tony
http://sentinel24.com/blog/
From: Taras oxdef@oxdef.info
To: Zippy Zeppoli zippyzeppoli@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Thursday, June 28, 2012 2:02 PM
Subject: Re: [WEB SECURITY] open source web app scanners
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
OWASP ZAP: Toolsmith Tool of the Year 2011
On 28 Jun 2012, at 22:25, Zippy Zeppoli wrote:
Awesome. Thank you all. I wonder which tools are best for automating? For example integrating into selenium tests, jenkins, etc.
You could have a look at BDD-Security http://www.continuumsecurity.net/bdd-intro.html (I'm the author).
In a nutshell, it provides a set of security requirements (written in JBehave) that can be executed using Selenium 2 as the driver + Burp as the scanner. Since it's a testing framework and not a fully automated scanner, it can do things that a scanner can't, such as automated role based access control tests:
http://teammentordevelopment.wordpress.com/2012/05/16/automated-access-control-testing-with-bdd-security/
and session management tests:
http://www.continuumsecurity.net/bdd-example-report/view/session_management.html
It's a maven project so can integrate with Jenkins: http://www.continuumsecurity.net/2012/05/02/jenkins-integration-with-bdd-security.html
If you'd prefer to roll your own, then the separate resty-burp tool could be useful as it'll let you control Burp from another process over REST/JSON: http://www.continuumsecurity.net/resty-intro.html (Note that you'll need a commercially licensed version of Burp to make use of the automated scanning features).
regards,
Stephen
From: Taras oxdef@oxdef.info
To: Zippy Zeppoli zippyzeppoli@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Thursday, June 28, 2012 2:02 PM
Subject: Re: [WEB SECURITY] open source web app scanners
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Tony,
On Thu, Jun 28, 2012 at 6:17 PM, Tony Turner tony_l_turner@yahoo.com wrote:
w3af is a good scanner and from a methodology standpoint checks all the
boxes but I've had major stability issues in the past. I hardly ever use it
anymore because it seems to crash right after it finds something useful.
Lost way too much time re-scanning.
Completely agree with you on that. Currently working full-time on w3af
to fix all those issues. Adding lots of unittests, integration tests,
and rewrote the error handling code. w3af should be much more stable
(and faster because I'm rewriting the threading model) in the next
months.
If the stability issues were ever
resolved I'd probably drop all my commercial (web) tools other than Burp.
--
Tony
http://sentinel24.com/blog/
From: Taras oxdef@oxdef.info
To: Zippy Zeppoli zippyzeppoli@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Thursday, June 28, 2012 2:02 PM
Subject: Re: [WEB SECURITY] open source web app scanners
Zippy,
There is good list of web app scanners on sectools.org [0]
You can try w3af [1] and arachni [2]
[0] http://sectools.org/tag/web-scanners/
[1] http://w3af.org
[2] http://arachni-scanner.com/
On 06/28/2012 04:40 AM, Zippy Zeppoli wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
--
Taras
http://oxdef.info
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
Not quite on par with AppScan or other current commercial products, but one
that's showing a lot of promise(Especially for the enterprise level) is
Arachni (https://github.com/Arachni/arachni). Some interesting features:
distributed deployment, commandline and web interfaces, a self-learning
subsystem, and the ability to add custom audit/crawler/report modules
through Ruby. The distributed deployment system is interesting because
your able to distribute the load of a scan across a set of servers to help
increase scan performance. You can also perform separate scans on separate
servers and the results will all be uploaded to a single server for
viewing. It still in its infancy and needs some love, but I believe it's
on it's way to becoming something great.
-Tom
On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli zippyzeppoli@gmail.comwrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even seem
to come close to a too like AppScan.
Thanks in advance,
Z
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org