Hi List,
 I was wondering if anyone has come across a web application security
 scanner which is open source that is on par with IBM Rational AppScan.

 I've come across some tools in the OWASP project but they don't even
 seem to come close to a too like AppScan.

 Thanks in advance,
 Z

 _______________________________________________
 The Web Security Mailing List

 WebSecurity RSS Feed
 http://www.webappsec.org/rss/websecurity.rss

 Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

 WASC on Twitter
 http://twitter.com/wascupdates

 websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org>
 http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Just as a heads up if you go with Arachni, it does have all the interesting stuff that Tom mentioned but has always been a bit quirky when pushed. I made a turn though with the under dev version and spent (and still do) an enormous amount of time on stability, so if you want to give it a shot prefer the nightly builds [1] as they are probably more stable than the last "stable" version. If you do go with it and come across a problem let me know, I usually respond fast. Anyhow, I saw Arachni mentioned so I figured I better give you a heads up. Good luck on finding a tool that fits your needs, it may get tricky. [1] http://downloads.arachni-scanner.com/nightlies/ PS. I'm the project leader. On 07/06/2012 04:42 AM, Tom wrote: > Not quite on par with AppScan or other current commercial products, but > one that's showing a lot of promise(Especially for the enterprise level) > is Arachni (https://github.com/Arachni/arachni). Some interesting > features: distributed deployment, commandline and web interfaces, a > self-learning subsystem, and the ability to add custom > audit/crawler/report modules through Ruby. The distributed deployment > system is interesting because your able to distribute the load of a scan > across a set of servers to help increase scan performance. You can also > perform separate scans on separate servers and the results will all be > uploaded to a single server for viewing. It still in its infancy and > needs some love, but I believe it's on it's way to becoming something great. > > -Tom > > On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com > <mailto:zippyzeppoli@gmail.com>> wrote: > > Hi List, > I was wondering if anyone has come across a web application security > scanner which is open source that is on par with IBM Rational AppScan. > > I've come across some tools in the OWASP project but they don't even > seem to come close to a too like AppScan. > > Thanks in advance, > Z > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

Hi List, I was wondering if anyone has experimenting using IAST (Interactive Application Security Testing) tools , especially SEEKER . Any lessons made ? Are there other tools around ? Is it mature enough for prime time ?   Best, Avi   ________________________________

Generally open source scanners lack research and packaging commercial tools put together (AppScan, Hailstorm etc). But segregated open source tools can work at par with these tools. Some examples are 1. Sqlmap  : For SQL Injection 2. Nickto  3. Ratproxy/Skipfish: Descent XSS detection -Rohit ________________________________ From: Tasos Laskos <tasos.laskos@gmail.com> To: Tom <tom.bifkin0@gmail.com> Cc: websecurity@lists.webappsec.org Sent: Tuesday, July 10, 2012 3:28 AM Subject: Re: [WEB SECURITY] open source web app scanners Just as a heads up if you go with Arachni, it does have all the interesting stuff that Tom mentioned but has always been a bit quirky when pushed. I made a turn though with the under dev version and spent (and still do) an enormous amount of time on stability, so if you want to give it a shot prefer the nightly builds [1] as they are probably more stable than the last "stable" version. If you do go with it and come across a problem let me know, I usually respond fast. Anyhow, I saw Arachni mentioned so I figured I better give you a heads up. Good luck on finding a tool that fits your needs, it may get tricky. [1] http://downloads.arachni-scanner.com/nightlies/ PS. I'm the project leader. On 07/06/2012 04:42 AM, Tom wrote: > Not quite on par with AppScan or other current commercial products, but > one that's showing a lot of promise(Especially for the enterprise level) > is Arachni (https://github.com/Arachni/arachni).  Some interesting > features: distributed deployment, commandline and web interfaces, a > self-learning subsystem, and the ability to add custom > audit/crawler/report modules through Ruby. The distributed deployment > system is interesting because your able to distribute the load of a scan > across a set of servers to help increase scan performance.  You can also > perform separate scans on separate servers and the results will all be > uploaded to a single server for viewing.  It still in its infancy and > needs some love, but I believe it's on it's way to becoming something great. > > -Tom > > On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com > <mailto:zippyzeppoli@gmail.com>> wrote: > >    Hi List, >    I was wondering if anyone has come across a web application security >    scanner which is open source that is on par with IBM Rational AppScan. > >    I've come across some tools in the OWASP project but they don't even >    seem to come close to a too like AppScan. > >    Thanks in advance, >    Z > >    _______________________________________________ >    The Web Security Mailing List > >    WebSecurity RSS Feed >    http://www.webappsec.org/rss/websecurity.rss > >    Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >    WASC on Twitter >    http://twitter.com/wascupdates > >    websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> >    http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi List,
I was wondering if anyone has come across a web application security
scanner which is open source that is on par with IBM Rational AppScan.

I've come across some tools in the OWASP project but they don't even
seem to come close to a too like AppScan.

Thanks in advance,
Z

_______________________________________________
The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org <mailto:

Its worth having a look at the latest wavsep results: http://sectooladdict.blogspot.co.uk/ <http://www.sectoolmarket.com/> And if you're looking for an open source tool for detecting XSS issues then I feel compelled to point out that OWASP ZAP came joint first in this category with 100% detection rate and zero false positives ;) http://www.sectoolmarket.com/reflected-cross-site-scripting-detection-accuracy-unified-list.html Simon On Sat, Jul 14, 2012 at 2:50 PM, Rohit Pitke <rohirp92@yahoo.com> wrote: > Generally open source scanners lack research and packaging commercial > tools put together (AppScan, Hailstorm etc). > But segregated open source tools can work at par with these tools. Some > examples are > > 1. Sqlmap : For SQL Injection > 2. Nickto > 3. Ratproxy/Skipfish: Descent XSS detection > > -Rohit > > ------------------------------ > *From:* Tasos Laskos <tasos.laskos@gmail.com> > *To:* Tom <tom.bifkin0@gmail.com> > *Cc:* websecurity@lists.webappsec.org > *Sent:* Tuesday, July 10, 2012 3:28 AM > > *Subject:* Re: [WEB SECURITY] open source web app scanners > > Just as a heads up if you go with Arachni, it does have all the > interesting stuff that Tom mentioned but has always been a bit quirky > when pushed. > > I made a turn though with the under dev version and spent (and still do) > an enormous amount of time on stability, so if you want to give it a > shot prefer the nightly builds [1] as they are probably more stable than > the last "stable" version. > > If you do go with it and come across a problem let me know, I usually > respond fast. > > Anyhow, I saw Arachni mentioned so I figured I better give you a heads up. > > Good luck on finding a tool that fits your needs, it may get tricky. > > [1] http://downloads.arachni-scanner.com/nightlies/ > > PS. I'm the project leader. > > On 07/06/2012 04:42 AM, Tom wrote: > > Not quite on par with AppScan or other current commercial products, but > > one that's showing a lot of promise(Especially for the enterprise level) > > is Arachni (https://github.com/Arachni/arachni). Some interesting > > features: distributed deployment, commandline and web interfaces, a > > self-learning subsystem, and the ability to add custom > > audit/crawler/report modules through Ruby. The distributed deployment > > system is interesting because your able to distribute the load of a scan > > across a set of servers to help increase scan performance. You can also > > perform separate scans on separate servers and the results will all be > > uploaded to a single server for viewing. It still in its infancy and > > needs some love, but I believe it's on it's way to becoming something > great. > > > > -Tom > > > > On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com > > <mailto:zippyzeppoli@gmail.com>> wrote: > > > > Hi List, > > I was wondering if anyone has come across a web application security > > scanner which is open source that is on par with IBM Rational AppScan. > > > > I've come across some tools in the OWASP project but they don't even > > seem to come close to a too like AppScan. > > > > Thanks in advance, > > Z > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org <mailto: > websecurity@lists.webappsec.org> > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > > > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > -- OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>

I have been using the commercial edition of Burp for 3 years and have been very happy with it. It is very cheap ($300/year) compared to other commercial products and it is fast, stable, and accurate (IMO). Before I renewed Burp last time I looked at ZAP, w3af, and Arachni to check if any of them would allow me to replace Burp. I really liked Arachni but I had some stability issues. ZAP was a close second behind Arachni and w3af is a great tool, but it is massive and difficult to navigate. Sounds like all three are being actively developed so it will be interesting when I review them again this year. ________________________________ From: Tasos Laskos <tasos.laskos@gmail.com> To: Tom <tom.bifkin0@gmail.com> Cc: websecurity@lists.webappsec.org Sent: Monday, July 9, 2012 4:58 PM Subject: Re: [WEB SECURITY] open source web app scanners Just as a heads up if you go with Arachni, it does have all the interesting stuff that Tom mentioned but has always been a bit quirky when pushed. I made a turn though with the under dev version and spent (and still do) an enormous amount of time on stability, so if you want to give it a shot prefer the nightly builds [1] as they are probably more stable than the last "stable" version. If you do go with it and come across a problem let me know, I usually respond fast. Anyhow, I saw Arachni mentioned so I figured I better give you a heads up. Good luck on finding a tool that fits your needs, it may get tricky. [1] http://downloads.arachni-scanner.com/nightlies/ PS. I'm the project leader. On 07/06/2012 04:42 AM, Tom wrote: > Not quite on par with AppScan or other current commercial products, but > one that's showing a lot of promise(Especially for the enterprise level) > is Arachni (https://github.com/Arachni/arachni).  Some interesting > features: distributed deployment, commandline and web interfaces, a > self-learning subsystem, and the ability to add custom > audit/crawler/report modules through Ruby. The distributed deployment > system is interesting because your able to distribute the load of a scan > across a set of servers to help increase scan performance.  You can also > perform separate scans on separate servers and the results will all be > uploaded to a single server for viewing.  It still in its infancy and > needs some love, but I believe it's on it's way to becoming something great. > > -Tom > > On Wed, Jun 27, 2012 at 6:40 PM, Zippy Zeppoli <zippyzeppoli@gmail.com > <mailto:zippyzeppoli@gmail.com>> wrote: > >    Hi List, >    I was wondering if anyone has come across a web application security >    scanner which is open source that is on par with IBM Rational AppScan. > >    I've come across some tools in the OWASP project but they don't even >    seem to come close to a too like AppScan. > >    Thanks in advance, >    Z > >    _______________________________________________ >    The Web Security Mailing List > >    WebSecurity RSS Feed >    http://www.webappsec.org/rss/websecurity.rss > >    Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >    WASC on Twitter >    http://twitter.com/wascupdates > >    websecurity@lists.webappsec.org <mailto:websecurity@lists.webappsec.org> >    http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org