Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Web Scanners & Acunetix

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: Web Scanners & Acunetix
Date: Fri, 11 Mar 2005 17:39:15 -0600 
LOL. Final Score on the webappsec@subtleplugging.com list:

Acunetix: 2
Appscan: 1
WebScarab: 1

The OWASP 2005 conference will be hosting a presentation covering
around 40 different application assessment tools. About this same time
(first week of April) will launch a new resource on www.owasp.org tracking
said tools.

You other helpful samaritans: Thanks for the Acunetix heads up!
I had not added it to my list, and was surprised to find out that
it's not vaporware.

5 minute first blush of Acunetix "Web Vulnerability Scanner":

Good:
-test editor to get under the hood. Hooray! Nobody (commercial) but
Cenzic has this right now. Good job.
-quick (of course counting it doesn't find much or parse JS :) though
I didn't attempt to test scaling
-no over-hype of "vulnerability" ratings (e.g.-robots.txt isn't "critical")
-usable http editor and the proxy regex support
-no marketing claiming they "automate" what the competition can't,
or do "something" new, or simply demonstrate they don't have a clue
about their competitive landscape.

Opportunities for improvement:

-the "users manual" starts as a marketing document.
-javascript parsing weak or non-existent.
-no ability to fill forms/follow workflow (that I could find).
-found only one of a possible roughly 30 XSS variants I threw at it.
-the one XSS it found, which was the most trivially exploitable
and in a dangerous place, it rated as "medium".

First time I've complained about XSS being under-rated. :)

I was pleasantly surprised by this tool, though the last thing
I think we all need is another "web vulnerability scanner".

Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com




-----Original Message-----
From: blad3 [mailto:fd@blad3.ro] 
Sent: Thursday, March 03, 2005 3:56 PM
To: El C0chin0
Cc: webappsec
Subject: Re: Web Scanners


A few more (web scanners):

Acunetix Web Vulnerability Scanner (commercial)
http://www.acunetix.com

Watchfire AppScan (commercial)
http://www.watchfire.com/products/security/default.aspx

OWASP WebScarab (free)
http://www.owasp.org/software/webscarab.html


----- Original Message ----- 
From: "El C0chin0" <mr.nasty@ix.netcom.com>
To: <webappsec@securityfocus.com>
Sent: Thursday, March 03, 2005 1:49 AM
Subject: Web Scanners





I'm looking for different types of web scanners for a proof 

of concept 

list of vendors or free ones.

I already know of Immunity's Spike and SPI's WebInspect.  

I'm looking for 

other alternatives.  It doens't matter the cost at this 

point. I'm looking 

for a vendor or vendors who are willing to provide a proof 

of concept.


Please respond here if the moderator allows this post.

Thanks
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: Web Scanners & Acunetix, Evans, Arian <=
Previous by Date:  RE: Web security breach changes the lives of 119 people, Bill Nichols
Next by Date:  Clarification to: -->calling all software security tool vendors/freeware/open source project leads, Evans, Arian
Previous by Thread:  Re: Update: OWASP AppSec Europe 2005, April 9-10, Dave Wichers
Next by Thread:  Clarification to: -->calling all software security tool vendors/freeware/open source project leads, Evans, Arian
Indexes:  [Date] [Thread] [Top] [All Lists]