which is the best web application vulnerability scanner .among the free
software like
Arachni
JBrofuzz
Webshag
Websecurify
Zero Day Scan
Nikto
Wapiti
W3AF
Skipfish
Grendel-Scan
Grabber
Arachni
wikto
may be sth more and support server client mode.
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
Hi, i like netsparker, its free and it work very good. Talking about the licinced ones, i like acunetix
Enviado desde mi BlackBerry de Movistar
-----Original Message-----
From: lukesun629@gmail.com
Sender: websecurity-bounces@lists.webappsec.org
Date: Tue, 3 May 2011 10:22:11
To: websecurity@webappsec.org
Subject: [WEB SECURITY] which is the best web application vulnerability
scanner
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
They all catch different things.
I use the paid version of BurpSuite primarily. Then I use skipfish and
arachni.
Netsparker is good, bur pricey.
W3AF is good when it works, but I've had some very annoying crashes with
it... and a crash after running for eight hours is very irritating.
-Josh More
On Mon, May 2, 2011 at 9:22 PM, 孙松柏 lukesun629@gmail.com wrote:
which is the best web application vulnerability scanner .among the free
software like
Arachni
JBrofuzz
Webshag
Websecurify
Zero Day Scan
Nikto
Wapiti
W3AF
Skipfish
Grendel-Scan
Grabber
Arachni
wikto
may be sth more and support server client mode.
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
What do you mean? netsparker is not for free...
--- El mar, 3/5/11, jacorream@gmail.com jacorream@gmail.com escribió:
De: jacorream@gmail.com jacorream@gmail.com
Asunto: Re: [WEB SECURITY] which is the best web application vulnerabilityscanner
Para: "孙松柏" lukesun629@gmail.com, websecurity-bounces@lists.webappsec.org, websecurity@webappsec.org
Fecha: martes, 3 de mayo, 2011 12:31
Hi, i like netsparker, its free and
it work very good. Talking about the licinced ones, i like
acunetix
Enviado desde mi BlackBerry de Movistar
-----Original Message-----
From: lukesun629@gmail.com
Sender: websecurity-bounces@lists.webappsec.org
Date: Tue, 3 May 2011 10:22:11
To: websecurity@webappsec.org
Subject: [WEB SECURITY] which is the best web application
vulnerability
scanner
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Best for what?
I'd recommend to check out this research:
http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html
More stuff on scanner comparison efforts could be found here:
http://andrewpetukhov.blogspot.com/2011/01/web-application-scanner-comparison.html
Best of luck!
~Andrew
5/3/11 6:22 AM, 孙松柏 пишет:
which is the best web application vulnerability scanner .among the
free software like
Arachni
JBrofuzz
Webshag
Websecurify
Zero Day Scan
Nikto
Wapiti
W3AF
Skipfish
Grendel-Scan
Grabber
Arachni
wikto
may be sth more and support server client mode.
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
My vote for Skipfish. Only problem is a lot of false positives.
But it has crawling feature.
Webshag is good for server hardening. Nikto for file/directory traversal
attacks.
From: 孙松柏 lukesun629@gmail.com
To: websecurity@webappsec.org
Sent: Tue, May 3, 2011 7:52:11 AM
Subject: [WEB SECURITY] which is the best web application vulnerability scanner
which is the best web application vulnerability scanner .among the free software
like
Arachni
JBrofuzz
Webshag
Websecurify
Zero Day Scan
Nikto
Wapiti
W3AF
Skipfish
Grendel-Scan
Grabber
Arachni
wikto
may be sth more and support server client mode.
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
On Mon, May 2, 2011 at 7:22 PM, 孙松柏 lukesun629@gmail.com wrote:
which is the best web application vulnerability scanner .among the free
software like
Arachni
The WebUI is nice. Written in Ruby and requires Rails. Best installed
using RVM. Doesn't really stand out yet otherwise.
JBrofuzz
You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster,
and admin-scan.py -- combine them (sort + uniq) -- and then run them
through a single-pane-of-glass tool like Burp Suite Professional (or
Fiddler, et al) or a command-line tool such as dirb. This is a very
common penetration-testing tactic.
Websecurify
There is a Google Chrome/Chromium extension/app. This tool is best
used when customized internally, which requires heavy knowledge of
Javascript, especially as a browser/application driver (which is a
rare skillset to have).
Nikto
This tool is mentioned along with others in the book, "Backtrack 4:
Assuring Security by Penetration Testing". There are some clear
examples of running the tool as well as anecdotes about its
usefulness. I highly encourage you to check out this book for other
non-obvious reasons that will perhaps become obvious after you read
it.
Wapiti
Great tool, but works only in certain situations. Probably a good tool
to combine with other tools that can rewrite headers and perform
passive analysis, such as Burp Suite Professional or Fiddler with
Casaba Watcher. I especially like how Wapiti can specify POST-only
attacks. It's written in Python.
W3AF
This is one of the best tools because it stands alone in its support
of key innovations in webappsec technology. It has the best
open-source crawler, as seen from the wivet.googlecode.com results.
Many people think that W3AF is all Python, but it's really a mix of
languages -- especially not that it's founders and developers work for
Rapid7 (classically known to be a Ruby appdev shop). My favorite
features of W3AF are the spiderMan discovery plugin, all of the grep
plugins (which can be imported into Burp via the Burp Python extension
API), and some of the attack/evasion plugins. The emailReport plugin
is handy, the XML output is excellent (and it has its own XSD), and
the Export Request Tool feature is one of my favorites -- allowing
export of attacks to various languages, including HTML, Ajax, Python,
and Ruby (note that these are best when imported into HtmlFixture in
FitNesse, or used on a build/CI server as integration tests).
Skipfish
It's written in C and super-fast, with some really interesting
capabilities. The crawler isn't bad, but it's not quite as good as
W3AF (or some commercial tools). I like the "-D" flag the most, and
the ability for this tool to go through those
JBroFuzz/fuzzdb/admin-scan.py/DirBuster lists is unmatched --
especially given its other capabilities to lean on dictionaries for
predictable-resource-location attacks.
Grendel-Scan
Terrible performance, scalability, and usability. I don't believe the
author promotes its usage anymore.
Grabber
I've always liked this tool, but it's a bit of a project; almost
academic. The author went on to do more with Python, such as the
BlackSheep browser that performs security testing.
wikto
I'm not sure this is supported anymore -- it was replaced by Suru many
years ago, which itself has not been updated in some time. Many of the
search/dorking capabilities are replaced by newer tools such as
SeachDiggity.
==
My personal recommendation is to learn the concepts in Tamper Data and
to build on webappsec knowledge in order to write your own scanner(s).
The ones that you build for yourself will always be "the best",
because you're the customer (and you know yourself and your testing
capabilities, especially test case design and test case organization
along with time management and other principles).
The commercial tools are a waste of time, money, and I'd like to say
many other bad things about them. However, both Netsparker and
WebInspect have crawlers and manual modes that can be useful in rare
circumstances -- so I add them to my toolchain, which is usually
dominated by Tamper Data, Burp Suite Professional, W3AF, and Fiddler
with Casaba Watcher and x5s. However, I find many other tools useful
at times.
I'd give a vote for Burp Pro for the money. If you only have
time to play around with one free/inexpensive tool, Burp
Pro will give you the most bang for the buck on your list.
By the way - love the humor on WASC today. I love that post
about how the real answer is that we should all just write our
own scanners and use tamper data, funniest thing I've read in
months! Jerry McGuire, Free Love, Rainbows and Unicorns!
Arian Evans
Software Security Scanner Sophisticate
It didn't occur to me before but I think you're asking the wrong question.
You're working backwards...you first need to figure out what you want
to do and then find a scanner that does those things well.
So...what are you looking for?
On 05/03/2011 03:22 AM, 孙松柏 wrote:
which is the best web application vulnerability scanner .among the
free software like
Arachni
JBrofuzz
Webshag
Websecurify
Zero Day Scan
Nikto
Wapiti
W3AF
Skipfish
Grendel-Scan
Grabber
Arachni
wikto
may be sth more and support server client mode.
FIT1-213
Department of Computer Science
Tsinghua University, Beijing, 100084
http://about.me/anakin/bio
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Has anyone used the free version of Acunetix lately? The free version
only scans for XSS but version 7 does not seem to identify ANY XSS
vulnerabilities. I still have version 6.5 and it finds many XSS in my
test app, but version 7 finds zero.
On 5/3/11 2:14 PM, Andre Gironda wrote:
On Mon, May 2, 2011 at 7:22 PM, 孙松柏lukesun629@gmail.com wrote:
which is the best web application vulnerability scanner .among the free
software like
Arachni
The WebUI is nice. Written in Ruby and requires Rails. Best installed
using RVM. Doesn't really stand out yet otherwise.
JBrofuzz
You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster,
and admin-scan.py -- combine them (sort + uniq) -- and then run them
through a single-pane-of-glass tool like Burp Suite Professional (or
Fiddler, et al) or a command-line tool such as dirb. This is a very
common penetration-testing tactic.
Websecurify
There is a Google Chrome/Chromium extension/app. This tool is best
used when customized internally, which requires heavy knowledge of
Javascript, especially as a browser/application driver (which is a
rare skillset to have).
Nikto
This tool is mentioned along with others in the book, "Backtrack 4:
Assuring Security by Penetration Testing". There are some clear
examples of running the tool as well as anecdotes about its
usefulness. I highly encourage you to check out this book for other
non-obvious reasons that will perhaps become obvious after you read
it.
Wapiti
Great tool, but works only in certain situations. Probably a good tool
to combine with other tools that can rewrite headers and perform
passive analysis, such as Burp Suite Professional or Fiddler with
Casaba Watcher. I especially like how Wapiti can specify POST-only
attacks. It's written in Python.
W3AF
This is one of the best tools because it stands alone in its support
of key innovations in webappsec technology. It has the best
open-source crawler, as seen from the wivet.googlecode.com results.
Many people think that W3AF is all Python, but it's really a mix of
languages -- especially not that it's founders and developers work for
Rapid7 (classically known to be a Ruby appdev shop). My favorite
features of W3AF are the spiderMan discovery plugin, all of the grep
plugins (which can be imported into Burp via the Burp Python extension
API), and some of the attack/evasion plugins. The emailReport plugin
is handy, the XML output is excellent (and it has its own XSD), and
the Export Request Tool feature is one of my favorites -- allowing
export of attacks to various languages, including HTML, Ajax, Python,
and Ruby (note that these are best when imported into HtmlFixture in
FitNesse, or used on a build/CI server as integration tests).
Skipfish
It's written in C and super-fast, with some really interesting
capabilities. The crawler isn't bad, but it's not quite as good as
W3AF (or some commercial tools). I like the "-D" flag the most, and
the ability for this tool to go through those
JBroFuzz/fuzzdb/admin-scan.py/DirBuster lists is unmatched --
especially given its other capabilities to lean on dictionaries for
predictable-resource-location attacks.
Grendel-Scan
Terrible performance, scalability, and usability. I don't believe the
author promotes its usage anymore.
Grabber
I've always liked this tool, but it's a bit of a project; almost
academic. The author went on to do more with Python, such as the
BlackSheep browser that performs security testing.
wikto
I'm not sure this is supported anymore -- it was replaced by Suru many
years ago, which itself has not been updated in some time. Many of the
search/dorking capabilities are replaced by newer tools such as
SeachDiggity.
==
My personal recommendation is to learn the concepts in Tamper Data and
to build on webappsec knowledge in order to write your own scanner(s).
The ones that you build for yourself will always be "the best",
because you're the customer (and you know yourself and your testing
capabilities, especially test case design and test case organization
along with time management and other principles).
The commercial tools are a waste of time, money, and I'd like to say
many other bad things about them. However, both Netsparker and
WebInspect have crawlers and manual modes that can be useful in rare
circumstances -- so I add them to my toolchain, which is usually
dominated by Tamper Data, Burp Suite Professional, W3AF, and Fiddler
with Casaba Watcher and x5s. However, I find many other tools useful
at times.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Steve Lockwood
LochNET Systems, LLC.
Mobile: (727) 512-8408
Email: steve@lochnetsystems.com
http://www.lochnetsystems.com