Web App Assessment Tool Opinions

[thorin]

I seem to have an ever growing list of web app assessment tools these days, I can't possibly get to testing them all and verifying that:
1) They're useful.
2) They don't do anything malicious or "call home" or anything like that.

I just came across another tool and thought I'd pick brains over here to try and narrow things down. So if you've got any experience with the following, please add your 2 cents:

• Websecurify - Websecurify | Web and Web2.0 Security
• Netsparker - Netsparker, False Positive Free Web Application Security Scanner - Mavituna Security or even better Netsparker Community Edition
• Grendelscan - Grendel-Scan
• Skipfish (from google) - skipfish - Project Hosting on Google Code
• WATOBO - http://sourceforge.net/projects/watobo/

On the commercial front I usually use AppScan. On the free front I usually use w3af, waffit/wafw00f, Fiddler2 w/ Watcher, FF w/ Firebug and Tamper Data, sometimes Nikto (though kinda rarely these days). I've also used Ratproxy but like Fiddler w/ Watcher better.

On a related note I just came across this thread which might be of interest to anyone reading or posting here.

sla.ckers.org web application security forum :: Projects :: Web application scanner

[Liuser]

I have been using Skipfish. Very impressive with the amount of requests it makes and presents the data in a nice user friendly web GUI. It takes quite a bit of time to sift through the results. Nonetheless, great for identifying potential injections, Cross-scripting vulnerabilities, login screens, "interesting" files, etc. Sometimes generates a handful of false positives, but then again, it could just be attributed to my lack of skill with verifying the vulnerabilities.

The BurpSuite is another great tool. Not sure if you have experimented with it yet.

[thorin]

Thanks Liuser, yes actually I do also have access to BurpSuite Pro here at work. The interface seems kinda klunky to me so I've never become a huge fan though others in my group really are.

Anyone else have any experience with any of these tools?

[firebits]

I used Wapiti - Web application security auditor in python.

Very easy and console commands.

Sorry my bad english

[hhmatt]

If you are looking for new vulnerabilities then you should really consider writing your own scripts. The problem with fuzz tools is that someone else is looking for vulnerabilities using the same tools in the same manner as you are (probably with better equipment). If you are familiar with SPIKE I would give Spike proxy a try.

IMMUNITY : Knowing You're Secure

[brtw2003]

skipfish got a lot of infosec media attention and lcamtuf is the man, but my tests didn't convince me to use if for serious testing - besides if you look on pure performance (i don't audit amazon s3 or google cloud ;-), but a way too much false positives, seriously impacting some web server performance ;-) and needs definitely some improvement (I'm sure lcumtuf is using internally at google an optimized version ;-)

As with any other pentesting area, there is NO the-tool-doing-anything-for-me-perfect-job, same thing with http-proxies. Burp Pro is great, Spike is great, ratproxy is sometimes enough and so on...

I personally do use extensively w3af (even with instability issues), webscarab, dirbuster, whatWeb, Burp and for fuzzing you need some home-gr0wn scripts anyway.

On a commercial side we do have WebInspect (fancy GUI, fancy reports), which I've to say it does a quite good job for doing some large web-app testing and identifying the most obvious vuls; and from there to proceed further with manual testing.

/brtw2003

[thorin]

I do believe that using multiple tools along with a bunch of manual testing (scripted or otherwise) is the way to go for Web App assessments.

I'm still hoping that someone out there has some input on Websecurify (which I believe grew out of GNUCitizen) or Netsparker (which has been listed on a few mailing lists lately).

Grendel-scan I'm not as concerned with, it's been out a while and doesn't seem to get much attention. This leads me to conclude (perhaps wrongly...but I'm just trying to explain) that it's not that great.

Skipfish, got a lot of attention simply due to where it came from. I've heard mixed reviews.

[Liuser]

It looks like the predominate tools listed here are scanners that test the web application externally. However, would you have any recommendations for scanners that analyze code?

[thorin]

For java or JSP I've used PMD in the past.

In the majority of cases (~95%) I've found that my clients fall in to two categories. 1) Those unwilling to share their code. 2) Those that are unwilling to spend more money on code assessment (though usually when we quote this we're talking both automated and manual tasks).

[thorin]

@Liuser
Here's something else you might wanna check out for PHP:
RIPS – A static source code analyser for vulnerabilities in PHP scripts