Re: [WEB SECURITY] Opinions on Burp Suite Web App Scanner
It is the best product you will find for $300. It's probably the most
widely used testing proxy today, and I highly recommend it for what it
is. As for the crawler, that all depends on your websites. Go
benchmark it on Wivet if you want synthetic metrics, but all that
really matters are how a given crawler works on your own websites.
For pure automation Netsparker is also cheap. Not useful for my needs,
but consultancies that do limited scanner-jockey work on the DAST side
of things get by with it.
Also the SF pen-test list is dead for modern appsec PT talk. I
recommend the OWASP or WASC lists. In fact, I bet this bounces from
the SF PT list because the admins still can't figure out how to deal
with gmail forwards on 40% of the SF lists. </amateur>
I've CC'd the WASC list for you. The Denizens can chime in,
Arian Evans
Software Security Scanner Sophisticate
On Wed, Oct 12, 2011 at 8:31 AM, Derrenbacker, L. Jonathan
JDerrenbacker@kshgs.com wrote:
I have budget for a web app vulnerability scanner, and I was wondering if anyone has opinions on the professional version Burp Suite with the scanner option.
Is the scanner any good? Accurate?
This is the website if anyone doesn't know what it is:
http://portswigger.net/burp/scanner.html
Thanks,
Jon
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
There is a project that automates, passive analysis made by Burp.
The Creator is the Wagner Elias, is an opensource project, done in Brazil.
http://wagnerelias.com/2011/10/18/webfight-automatizando-a-analise-passiva-de-aplicacoes-web/
@firebitsbr
2011/10/12 Arian J. Evans arian.evans@anachronic.com
It is the best product you will find for $300. It's probably the most
widely used testing proxy today, and I highly recommend it for what it
is. As for the crawler, that all depends on your websites. Go
benchmark it on Wivet if you want synthetic metrics, but all that
really matters are how a given crawler works on your own websites.
For pure automation Netsparker is also cheap. Not useful for my needs,
but consultancies that do limited scanner-jockey work on the DAST side
of things get by with it.
Also the SF pen-test list is dead for modern appsec PT talk. I
recommend the OWASP or WASC lists. In fact, I bet this bounces from
the SF PT list because the admins still can't figure out how to deal
with gmail forwards on 40% of the SF lists. </amateur>
I've CC'd the WASC list for you. The Denizens can chime in,
Arian Evans
Software Security Scanner Sophisticate
On Wed, Oct 12, 2011 at 8:31 AM, Derrenbacker, L. Jonathan
JDerrenbacker@kshgs.com wrote:
I have budget for a web app vulnerability scanner, and I was wondering if
anyone has opinions on the professional version Burp Suite with the scanner
option.
Is the scanner any good? Accurate?
This is the website if anyone doesn't know what it is:
http://portswigger.net/burp/scanner.html
Thanks,
Jon
This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org