which is the best web application vulnerability scanner .among the free software like Arachni JBrofuzz Webshag Websecurify Zero Day Scan Nikto Wapiti W3AF Skipfish Grendel-Scan Grabber Arachni wikto may be sth more and support server client mode. FIT1-213 Department of Computer Science Tsinghua University, Beijing, 100084 http://about.me/anakin/bio

Hi, i like netsparker, its free and it work very good. Talking about the licinced ones, i like acunetix Enviado desde mi BlackBerry de Movistar -----Original Message----- From:  lukesun629@gmail.com Sender: websecurity-bounces@lists.webappsec.org Date: Tue, 3 May 2011 10:22:11 To: <websecurity@webappsec.org> Subject: [WEB SECURITY] which is the best web application vulnerability scanner _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

They all catch different things. I use the paid version of BurpSuite primarily. Then I use skipfish and arachni. Netsparker is good, bur pricey. W3AF is good when it works, but I've had some very annoying crashes with it... and a crash after running for eight hours is very irritating. -Josh More On Mon, May 2, 2011 at 9:22 PM, 孙松柏 <lukesun629@gmail.com> wrote: > which is the best web application vulnerability scanner .among the free > software like > Arachni > JBrofuzz > Webshag > Websecurify > Zero Day Scan > Nikto > Wapiti > W3AF > Skipfish > Grendel-Scan > Grabber > Arachni > wikto > may be sth more and support server client mode. > > FIT1-213 > Department of Computer Science > Tsinghua University, Beijing, 100084 > http://about.me/anakin/bio > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > >

What do you mean? netsparker is not for free... --- El mar, 3/5/11, jacorream@gmail.com <jacorream@gmail.com> escribió: > De: jacorream@gmail.com <jacorream@gmail.com> > Asunto: Re: [WEB SECURITY] which is the best web application vulnerabilityscanner > Para: "孙松柏" <lukesun629@gmail.com>, websecurity-bounces@lists.webappsec.org, websecurity@webappsec.org > Fecha: martes, 3 de mayo, 2011 12:31 > Hi, i like netsparker, its free and > it work very good. Talking about the licinced ones, i like > acunetix > Enviado desde mi BlackBerry de Movistar > > -----Original Message----- > From:  lukesun629@gmail.com > Sender: websecurity-bounces@lists.webappsec.org > Date: Tue, 3 May 2011 10:22:11 > To: <websecurity@webappsec.org> > Subject: [WEB SECURITY] which is the best web application > vulnerability >     scanner > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

Best for what? I'd recommend to check out this research: http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html More stuff on scanner comparison efforts could be found here: http://andrewpetukhov.blogspot.com/2011/01/web-application-scanner-comparison.html Best of luck! ~Andrew 5/3/11 6:22 AM, 孙松柏 пишет: > which is the best web application vulnerability scanner .among the > free software like > Arachni > JBrofuzz > Webshag > Websecurify > Zero Day Scan > Nikto > Wapiti > W3AF > Skipfish > Grendel-Scan > Grabber > Arachni > wikto > may be sth more and support server client mode. > > FIT1-213 > Department of Computer Science > Tsinghua University, Beijing, 100084 > http://about.me/anakin/bio > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

My vote for Skipfish. Only problem is a lot of false positives. But it has crawling feature. Webshag is good for server hardening. Nikto for file/directory traversal attacks. ________________________________ From: 孙松柏 <lukesun629@gmail.com> To: websecurity@webappsec.org Sent: Tue, May 3, 2011 7:52:11 AM Subject: [WEB SECURITY] which is the best web application vulnerability scanner which is the best web application vulnerability scanner .among the free software like Arachni JBrofuzz Webshag Websecurify Zero Day Scan Nikto Wapiti W3AF Skipfish Grendel-Scan Grabber Arachni wikto may be sth more and support server client mode. FIT1-213 Department of Computer Science Tsinghua University, Beijing, 100084 http://about.me/anakin/bio

On Mon, May 2, 2011 at 7:22 PM, 孙松柏 <lukesun629@gmail.com> wrote: > which is the best web application vulnerability scanner .among the free > software like > Arachni The WebUI is nice. Written in Ruby and requires Rails. Best installed using RVM. Doesn't really stand out yet otherwise. > JBrofuzz You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster, and admin-scan.py -- combine them (sort + uniq) -- and then run them through a single-pane-of-glass tool like Burp Suite Professional (or Fiddler, et al) or a command-line tool such as dirb. This is a very common penetration-testing tactic. > Websecurify There is a Google Chrome/Chromium extension/app. This tool is best used when customized internally, which requires heavy knowledge of Javascript, especially as a browser/application driver (which is a rare skillset to have). > Nikto This tool is mentioned along with others in the book, "Backtrack 4: Assuring Security by Penetration Testing". There are some clear examples of running the tool as well as anecdotes about its usefulness. I highly encourage you to check out this book for other non-obvious reasons that will perhaps become obvious after you read it. > Wapiti Great tool, but works only in certain situations. Probably a good tool to combine with other tools that can rewrite headers and perform passive analysis, such as Burp Suite Professional or Fiddler with Casaba Watcher. I especially like how Wapiti can specify POST-only attacks. It's written in Python. > W3AF This is one of the best tools because it stands alone in its support of key innovations in webappsec technology. It has the best open-source crawler, as seen from the wivet.googlecode.com results. Many people think that W3AF is all Python, but it's really a mix of languages -- especially not that it's founders and developers work for Rapid7 (classically known to be a Ruby appdev shop). My favorite features of W3AF are the spiderMan discovery plugin, all of the grep plugins (which can be imported into Burp via the Burp Python extension API), and some of the attack/evasion plugins. The emailReport plugin is handy, the XML output is excellent (and it has its own XSD), and the Export Request Tool feature is one of my favorites -- allowing export of attacks to various languages, including HTML, Ajax, Python, and Ruby (note that these are best when imported into HtmlFixture in FitNesse, or used on a build/CI server as integration tests). > Skipfish It's written in C and super-fast, with some really interesting capabilities. The crawler isn't bad, but it's not quite as good as W3AF (or some commercial tools). I like the "-D" flag the most, and the ability for this tool to go through those JBroFuzz/fuzzdb/admin-scan.py/DirBuster lists is unmatched -- especially given its other capabilities to lean on dictionaries for predictable-resource-location attacks. > Grendel-Scan Terrible performance, scalability, and usability. I don't believe the author promotes its usage anymore. > Grabber I've always liked this tool, but it's a bit of a project; almost academic. The author went on to do more with Python, such as the BlackSheep browser that performs security testing. > wikto I'm not sure this is supported anymore -- it was replaced by Suru many years ago, which itself has not been updated in some time. Many of the search/dorking capabilities are replaced by newer tools such as SeachDiggity. == My personal recommendation is to learn the concepts in Tamper Data and to build on webappsec knowledge in order to write your own scanner(s). The ones that you build for yourself will always be "the best", because you're the customer (and you know yourself and your testing capabilities, especially test case design and test case organization along with time management and other principles). The commercial tools are a waste of time, money, and I'd like to say many other bad things about them. However, both Netsparker and WebInspect have crawlers and manual modes that can be useful in rare circumstances -- so I add them to my toolchain, which is usually dominated by Tamper Data, Burp Suite Professional, W3AF, and Fiddler with Casaba Watcher and x5s. However, I find many other tools useful at times.

I'd give a vote for Burp Pro for the money. If you only have time to play around with one free/inexpensive tool, Burp Pro will give you the most bang for the buck on your list. By the way - love the humor on WASC today. I love that post about how the real answer is that we should all just write our own scanners and use tamper data, funniest thing I've read in months! Jerry McGuire, Free Love, Rainbows and Unicorns! --- Arian Evans Software Security Scanner Sophisticate

It didn't occur to me before but I think you're asking the wrong question. You're working backwards...you first need to figure out *what* you want to do and then find a scanner that does those things *well*. So...what are you looking for? On 05/03/2011 03:22 AM, 孙松柏 wrote: > which is the best web application vulnerability scanner .among the > free software like > Arachni > JBrofuzz > Webshag > Websecurify > Zero Day Scan > Nikto > Wapiti > W3AF > Skipfish > Grendel-Scan > Grabber > Arachni > wikto > may be sth more and support server client mode. > > FIT1-213 > Department of Computer Science > Tsinghua University, Beijing, 100084 > http://about.me/anakin/bio > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Has anyone used the free version of Acunetix lately? The free version only scans for XSS but version 7 does not seem to identify ANY XSS vulnerabilities. I still have version 6.5 and it finds many XSS in my test app, but version 7 finds zero. On 5/3/11 2:14 PM, Andre Gironda wrote: > On Mon, May 2, 2011 at 7:22 PM, 孙松柏<lukesun629@gmail.com> wrote: >> which is the best web application vulnerability scanner .among the free >> software like >> Arachni > The WebUI is nice. Written in Ruby and requires Rails. Best installed > using RVM. Doesn't really stand out yet otherwise. > >> JBrofuzz > You can take the lists from tools like JBroFuzz, fuzzdb, DirBuster, > and admin-scan.py -- combine them (sort + uniq) -- and then run them > through a single-pane-of-glass tool like Burp Suite Professional (or > Fiddler, et al) or a command-line tool such as dirb. This is a very > common penetration-testing tactic. > >> Websecurify > There is a Google Chrome/Chromium extension/app. This tool is best > used when customized internally, which requires heavy knowledge of > Javascript, especially as a browser/application driver (which is a > rare skillset to have). > >> Nikto > This tool is mentioned along with others in the book, "Backtrack 4: > Assuring Security by Penetration Testing". There are some clear > examples of running the tool as well as anecdotes about its > usefulness. I highly encourage you to check out this book for other > non-obvious reasons that will perhaps become obvious after you read > it. > >> Wapiti > Great tool, but works only in certain situations. Probably a good tool > to combine with other tools that can rewrite headers and perform > passive analysis, such as Burp Suite Professional or Fiddler with > Casaba Watcher. I especially like how Wapiti can specify POST-only > attacks. It's written in Python. > >> W3AF > This is one of the best tools because it stands alone in its support > of key innovations in webappsec technology. It has the best > open-source crawler, as seen from the wivet.googlecode.com results. > Many people think that W3AF is all Python, but it's really a mix of > languages -- especially not that it's founders and developers work for > Rapid7 (classically known to be a Ruby appdev shop). My favorite > features of W3AF are the spiderMan discovery plugin, all of the grep > plugins (which can be imported into Burp via the Burp Python extension > API), and some of the attack/evasion plugins. The emailReport plugin > is handy, the XML output is excellent (and it has its own XSD), and > the Export Request Tool feature is one of my favorites -- allowing > export of attacks to various languages, including HTML, Ajax, Python, > and Ruby (note that these are best when imported into HtmlFixture in > FitNesse, or used on a build/CI server as integration tests). > >> Skipfish > It's written in C and super-fast, with some really interesting > capabilities. The crawler isn't bad, but it's not quite as good as > W3AF (or some commercial tools). I like the "-D" flag the most, and > the ability for this tool to go through those > JBroFuzz/fuzzdb/admin-scan.py/DirBuster lists is unmatched -- > especially given its other capabilities to lean on dictionaries for > predictable-resource-location attacks. > >> Grendel-Scan > Terrible performance, scalability, and usability. I don't believe the > author promotes its usage anymore. > >> Grabber > I've always liked this tool, but it's a bit of a project; almost > academic. The author went on to do more with Python, such as the > BlackSheep browser that performs security testing. > >> wikto > I'm not sure this is supported anymore -- it was replaced by Suru many > years ago, which itself has not been updated in some time. Many of the > search/dorking capabilities are replaced by newer tools such as > SeachDiggity. > > == > My personal recommendation is to learn the concepts in Tamper Data and > to build on webappsec knowledge in order to write your own scanner(s). > The ones that you build for yourself will always be "the best", > because you're the customer (and you know yourself and your testing > capabilities, especially test case design and test case organization > along with time management and other principles). > > The commercial tools are a waste of time, money, and I'd like to say > many other bad things about them. However, both Netsparker and > WebInspect have crawlers and manual modes that can be useful in rare > circumstances -- so I add them to my toolchain, which is usually > dominated by Tamper Data, Burp Suite Professional, W3AF, and Fiddler > with Casaba Watcher and x5s. However, I find many other tools useful > at times. > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -- Steve Lockwood LochNET Systems, LLC. Mobile: (727) 512-8408 Email: steve@lochnetsystems.com http://www.lochnetsystems.com