Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Web Application Tester

from [Lachniet, Mark] Network Security [Permanent Link]
Subject: RE: Web Application Tester
Date: Tue, 21 Sep 2004 08:49:39 -0400 
I have to agree with you here - the cost of button pushing can be
immense.  I think SPI is a great tool, though not entirely perfect.  I
can't imagine trying to do multiple or large web sites all by hand - it
simply wouldn't be as thorough for the same money.  Of course, the ideal
is to have enough volume for a consultants license for a year, then the
cost is easily justified.  That said, a tool is just a tool, and
shouldn't be relied on for more than "brute force" checking of inputs,
etc.  Human intelligence is essential to doing a good job.

Mark Lachniet 


-----Original Message-----
From: A.R. [mailto:r00t@northernfortress.net] 
Sent: Thursday, September 16, 2004 8:45 PM
To: chuan.delahosseraye@accenture.com
Cc: andrew@beegads.com; pen-test@securityfocus.com
Subject: RE: Web Application Tester

I think that when having to choose between a free and a 
commercial tool, it's all about figuring out the return of investment.

If it takes one week to manually inspect an application with
nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
the "grunt" work plus 2 days for the manual refinement, the 4 
days I gain are worth more than the ~1,000 dollars I have to 
spend for a 7-days Appscan license.

In the end, I usually prefer to use Paros (free tool), but I 
think that in some situations AppScan/WebInspect can be at 
least worth a look, even if their price makes them look 
unprofitable at first sight.

NB: I have never used AppDetective, so I am not saying in any 
way that the other tools are better

Just my 2 cents, of course :)

A.

On Wed, 2004-09-15 at 15:27, chuan.delahosseraye@accenture.com wrote:

According to my previous search on a Web pen-test tools, AppScan, 
WebInspect and Scando are all much more expensive than 

AppDetective. 

If cost is a concern, it might be possible to combine a 

selection of 

free tools such as:

- Nessus
- Nikto
- WebScarab
- Achilles

But this would involve a lot of Manual works.

Hope this helps
Chuan

-----Original Message-----
From: A.R. [mailto:r00t@northernfortress.net]
Sent: 15 September 2004 12:27
To: andrew@beegads.com
Cc: pen-test@securityfocus.com
Subject: Re: Web Application Tester

Andrew,

I don't know what's your budget, but for web applications 

you can try 

the following commercial products:

- AppScan, by Sanctum (www.sanctuminc.com)
- WebInspect, by Spidynamics (www.spidynamics.com)
- ScanDo, by Kavado (www.kavado.com)

...Or the good ol' Paros 

(http://www.proofsecure.com/download.shtml),

open source and free

Hope this helps

Alberto Revelli
Northern Fortress, Inc.

On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:

Does anyone know of an application tester similar to AppDetective 
thats not as hard on the pocket book?
I need to pentest a web app and am looking for some tools

Thanks,



--------------------------------------------------------------
----------------
Ethical Hacking at the InfoSec Institute. All of our class 
sizes are guaranteed to be 12 students or less to facilitate 
one-on-one interaction with one of our expert instructors. 
Check out our Advanced Hacking course, learn to write 
exploits and attack security infrastructure. Attend a course 
taught by an expert instructor with years of in-the-field pen 
testing experience in our state of the art hacking lab. 
Master the skills of an Ethical Hacker to better assess the 
security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
-----------------




------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: LDAP Pentest, Todd Towles
Next by Date:  And More Advanced SQL Injection..., Stefano Di Paola
Previous by Thread:  RE: Web Application Tester, Bowes, Ronald (EST)
Next by Thread:  Re: Web Application Tester, petercheung
Indexes:  [Date] [Thread] [Top] [All Lists]