Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: FW: Tools comparison and evaluation question (AppScan)

from [Erwin Geirnaert] Network Security [Permanent Link]
Subject: RE: FW: Tools comparison and evaluation question (AppScan)
Date: Fri, 17 Feb 2006 17:43:58 +0100 
 
Nobody played with HailStorm from Cenzic yet?

From my personal experience: it looks great and has a good performance

to scan web apps. It allows to automate certain things like boundary
testing, privilege escalation or bypass authorization. 

Because I do a lot of manual security testing with open-source tools, I
don't like tools that only scan things by fuzzing parameters and show a
lot of false positives. If I can't see how attacks are executed and I
can't customize the attack patterns it has no usage for me.

All depends on what you are looking for: low hanging fruit or an
assessment tool that can be used and shared in the development phase by
developers nd testers.

I hope that the project at Owasp about the web app scan market (is it a
project or an individual initiative?) is able to shed some light on the
real power of commercial tools. I can imagine that when you need
automated assessment tools and only can rely on Google or banners on
security sites (or even mailing list adds :)) to learn about these
products, you don't know what to choose.

Erwin




-----Original Message-----
From: Peter Wood [mailto:peterw@firstbase.co.uk] 
Sent: vrijdag 17 februari 2006 16:06
To: webappsec@securityfocus.com
Cc: Charles'
Subject: Re: FW: Tools comparison and evaluation question (AppScan)

We use WebInspect on a daily basis too, and have done so since version
1.0.  It's an excellent tool with some excellent (and constantly
improving) utilities.

Pete

At 13:46 17/02/2006 +0000, Xyberpix wrote:

I use WebInspect pretty much ona  daily basis, and wouldn't trade it
for anything.
As far as tools go, it really is a worthwhile addition.

xyberpix


-----Original Message-----
From: Burke, Charles
Sent: Friday, February 17, 2006 7:47 AM
To: 'Serg Belokamen'
Subject: RE: Tools comparison and evaluation question (AppScan)  >>
Also, WebInspect is a very good (commercial) tool.  It also includes
some invaluable utilities (Sql Injector, etc) that are a step above
their open source competitors.

-----Original Message-----
From: Serg Belokamen [serg.belokamen@gmail.com]
Sent: Friday, February 17, 2006 2:04 AM
To: webappsec@securityfocus.com
Subject: Tools comparison and evaluation question (AppScan)  >>  >>
Hi All,  >>  >>I am currently looking at using/evaluating a tool

called AppScan (by  >>watchfire.com).


So the question is in two parts and ASAP reply would be greatly
appreciated.

First:
Without starting a flame war (hopefully) or marketing campaign

(another

hopefully) can any one tell me abut their experience with the

software,  >>what you find useful about it, what not, any annoyances,
missing  >>functionality, etc.


Second:
Can anyone recommend any simular type of software, preferably open
source (although not at all essential), and describe its performance,
usability and "usefulness" so to speak using AppScan as a reference
point.

  Thanks,
      Serg



--------------------------------------------------------------------
Peter Wood FBCS CITP MIEEE MIMIS CISSP
Chief of Operations
First Base Technologies
Office: +44 (0)1273 454525
Mobile: +44 (0)7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk


------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: FW: Tools comparison and evaluation question (AppScan), Serg B.
Next by Date:  RE: FW: Tools comparison and evaluation question (AppScan), Joe White
Previous by Thread:  RE: FW: Tools comparison and evaluation question (AppScan), Brokken, Allen P.
Next by Thread:  RE: (OWASP Web App Tool Project) Tools comparison and evaluation question (AppScan), arian.evans
Indexes:  [Date] [Thread] [Top] [All Lists]