I don't know of any "pen-test" tool that does an alternative to what
you have already mentioned (within the Open Source realm any way)
however you may want to look at Selenium
(http://www.openqa.org/selenium/). This is a JS web application
testing tool, essentially it is just a harness that you feed small JS
test scripts and the rest is taken care for you. Therefore, if you
know what you are doing and don't mind coding a little Selenium is
worth a try.
On 12/04/07, Paul Sebastian Ziegler <psz@observed.de> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi all,
I stumbled across Paros quite a while ago.
It has been really nice to work with, providing an easy "click and run"
interface. However there are some limitations to it that are becoming
more and more obvious.
1) It has not been updated for half a year. (Ok, this is probably the
least significant problem.)
2) Java is great for platform independence and stuff - but its just
slow. You don't even have to scan across an intranet to find this out.
Even if you scan through a custom 2000/200 kbps line the limiting factor
will be your processor and not your bandwidth. (2Ghz Pentium M - results
may vary)
3) It lacks deep configurations. Of course you can set all your basic
stuff, but you have no access to the routines called afterwards unless
you hack up the source yourself. Now again this is normal for a click
and run tool.
4) The logs it creates are _huge_. 2GB and more are not seldom at all.
This sometimes raises startup and resume times to 30+ minutes.
5) some more. This is not a flame. I actually like Paros. Just wanted to
sketch what troubled my mind.
This is why I started searching for alternatives.
Now - as you might expect - asking google for "paros alternatives"
mostly turns up Greek villages. That's not really what I'm after.
I found a few good programs but they all lack some key features.
For example:
I) WebScarab
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
Really nice for packet-manipulation and manual fuzzing of webapps.
However it lacks standardized tests and automation.
II) Nikto (http://www.cirt.net/code/nikto.shtml)
Mostly pattern matching without strong generic tests for XSS, CRLF or
SQL-Injection
III) Burpsuite (http://portswigger.net/suite/)
Another really nice tool. Here you get all the options.
However automation is missing up until now.
So this is my question:
Does anybody (know|use|develop) a (tool|script|app) that carries out
partially or completely automated tests on webapplications, runs on
linux or bsd, is open source and copes with some of the points given above?
If so, please let me know.
Thanks in advance
Many Greetings
Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGHWfyaHrXRd80sY8RCojjAJ0Qen53VyzyCATvWfqNYKYKT7lZ8QCfbIfd
GAACIut+KZRoAQ2vBZtGoz0=
=8zee
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
--
Serg
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
