Just as a heads up if you go with Arachni, it does have all the
interesting stuff that Tom mentioned but has always been a bit quirky
when pushed.
I made a turn though with the under dev version and spent (and still do)
an enormous amount of time on stability, so if you want to give it a
shot prefer the nightly builds [1] as they are probably more stable than
the last "stable" version.
If you do go with it and come across a problem let me know, I usually
respond fast.
Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.
Good luck on finding a tool that fits your needs, it may get tricky.
[1] http://downloads.arachni-scanner.com/nightlies/
PS. I'm the project leader.
On 07/06/2012 04:42 AM, Tom wrote:
Not quite on par with AppScan or other current commercial products, but
one that's showing a lot of promise(Especially for the enterprise level)
is Arachni (https://github.com/Arachni/arachni). Some interesting
features: distributed deployment, commandline and web interfaces, a
self-learning subsystem, and the ability to add custom
audit/crawler/report modules through Ruby. The distributed deployment
system is interesting because your able to distribute the load of a scan
across a set of servers to help increase scan performance. You can also
perform separate scans on separate servers and the results will all be
uploaded to a single server for viewing. It still in its infancy and
needs some love, but I believe it's on it's way to becoming something great.
-Tom
On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com
mailto:zippyzeppoli@gmail.com> wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even
seem to come close to a too like AppScan.
Thanks in advance,
Z
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org>
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi List,
I was wondering if anyone has experimenting using IAST (Interactive Application Security Testing) tools , especially SEEKER .
Any lessons made ?
Are there other tools around ?
Is it mature enough for prime time ?
Best,
Avi
Generally open source scanners lack research and packaging commercial tools put together (AppScan, Hailstorm etc).
But segregated open source tools can work at par with these tools. Some examples are
-Rohit
From: Tasos Laskos tasos.laskos@gmail.com
To: Tom tom.bifkin0@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Tuesday, July 10, 2012 3:28 AM
Subject: Re: [WEB SECURITY] open source web app scanners
Just as a heads up if you go with Arachni, it does have all the
interesting stuff that Tom mentioned but has always been a bit quirky
when pushed.
I made a turn though with the under dev version and spent (and still do)
an enormous amount of time on stability, so if you want to give it a
shot prefer the nightly builds [1] as they are probably more stable than
the last "stable" version.
If you do go with it and come across a problem let me know, I usually
respond fast.
Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.
Good luck on finding a tool that fits your needs, it may get tricky.
[1] http://downloads.arachni-scanner.com/nightlies/
PS. I'm the project leader.
On 07/06/2012 04:42 AM, Tom wrote:
Not quite on par with AppScan or other current commercial products, but
one that's showing a lot of promise(Especially for the enterprise level)
is Arachni (https://github.com/Arachni/arachni). Some interesting
features: distributed deployment, commandline and web interfaces, a
self-learning subsystem, and the ability to add custom
audit/crawler/report modules through Ruby. The distributed deployment
system is interesting because your able to distribute the load of a scan
across a set of servers to help increase scan performance. You can also
perform separate scans on separate servers and the results will all be
uploaded to a single server for viewing. It still in its infancy and
needs some love, but I believe it's on it's way to becoming something great.
-Tom
On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com
mailto:zippyzeppoli@gmail.com> wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even
seem to come close to a too like AppScan.
Thanks in advance,
Z
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Its worth having a look at the latest wavsep results:
http://sectooladdict.blogspot.co.uk/ http://www.sectoolmarket.com/
And if you're looking for an open source tool for detecting XSS issues then
I feel compelled to point out that OWASP ZAP came joint first in this
category with 100% detection rate and zero false positives ;)
http://www.sectoolmarket.com/reflected-cross-site-scripting-detection-accuracy-unified-list.html
Simon
On Sat, Jul 14, 2012 at 2:50 PM, Rohit Pitke rohirp92@yahoo.com wrote:
Generally open source scanners lack research and packaging commercial
tools put together (AppScan, Hailstorm etc).
But segregated open source tools can work at par with these tools. Some
examples are
-Rohit
From: Tasos Laskos tasos.laskos@gmail.com
To: Tom tom.bifkin0@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Tuesday, July 10, 2012 3:28 AM
Subject: Re: [WEB SECURITY] open source web app scanners
Just as a heads up if you go with Arachni, it does have all the
interesting stuff that Tom mentioned but has always been a bit quirky
when pushed.
I made a turn though with the under dev version and spent (and still do)
an enormous amount of time on stability, so if you want to give it a
shot prefer the nightly builds [1] as they are probably more stable than
the last "stable" version.
If you do go with it and come across a problem let me know, I usually
respond fast.
Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.
Good luck on finding a tool that fits your needs, it may get tricky.
[1] http://downloads.arachni-scanner.com/nightlies/
PS. I'm the project leader.
On 07/06/2012 04:42 AM, Tom wrote:
Not quite on par with AppScan or other current commercial products, but
one that's showing a lot of promise(Especially for the enterprise level)
is Arachni (https://github.com/Arachni/arachni). Some interesting
features: distributed deployment, commandline and web interfaces, a
self-learning subsystem, and the ability to add custom
audit/crawler/report modules through Ruby. The distributed deployment
system is interesting because your able to distribute the load of a scan
across a set of servers to help increase scan performance. You can also
perform separate scans on separate servers and the results will all be
uploaded to a single server for viewing. It still in its infancy and
needs some love, but I believe it's on it's way to becoming something
great.
-Tom
On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com
mailto:zippyzeppoli@gmail.com> wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even
seem to come close to a too like AppScan.
Thanks in advance,
Z
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org <mailto:
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
OWASP ZAP: Toolsmith Tool of the Year
2011http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html
I have been using the commercial edition of Burp for 3 years and have been very happy with it. It is very cheap ($300/year) compared to other commercial products and it is fast, stable, and accurate (IMO).
Before I renewed Burp last time I looked at ZAP, w3af, and Arachni to check if any of them would allow me to replace Burp. I really liked Arachni but I had some stability issues. ZAP was a close second behind Arachni and w3af is a great tool, but it is massive and difficult to navigate. Sounds like all three are being actively developed so it will be interesting when I review them again this year.
From: Tasos Laskos tasos.laskos@gmail.com
To: Tom tom.bifkin0@gmail.com
Cc: websecurity@lists.webappsec.org
Sent: Monday, July 9, 2012 4:58 PM
Subject: Re: [WEB SECURITY] open source web app scanners
Just as a heads up if you go with Arachni, it does have all the
interesting stuff that Tom mentioned but has always been a bit quirky
when pushed.
I made a turn though with the under dev version and spent (and still do)
an enormous amount of time on stability, so if you want to give it a
shot prefer the nightly builds [1] as they are probably more stable than
the last "stable" version.
If you do go with it and come across a problem let me know, I usually
respond fast.
Anyhow, I saw Arachni mentioned so I figured I better give you a heads up.
Good luck on finding a tool that fits your needs, it may get tricky.
[1] http://downloads.arachni-scanner.com/nightlies/
PS. I'm the project leader.
On 07/06/2012 04:42 AM, Tom wrote:
Not quite on par with AppScan or other current commercial products, but
one that's showing a lot of promise(Especially for the enterprise level)
is Arachni (https://github.com/Arachni/arachni). Some interesting
features: distributed deployment, commandline and web interfaces, a
self-learning subsystem, and the ability to add custom
audit/crawler/report modules through Ruby. The distributed deployment
system is interesting because your able to distribute the load of a scan
across a set of servers to help increase scan performance. You can also
perform separate scans on separate servers and the results will all be
uploaded to a single server for viewing. It still in its infancy and
needs some love, but I believe it's on it's way to becoming something great.
-Tom
On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com
mailto:zippyzeppoli@gmail.com> wrote:
Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.
I've come across some tools in the OWASP project but they don't even
seem to come close to a too like AppScan.
Thanks in advance,
Z
_______________________________________________
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org