Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Web App Assessment Tool Opinions

  1. #1
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Web App Assessment Tool Opinions

    I seem to have an ever growing list of web app assessment tools these days, I can't possibly get to testing them all and verifying that:
    1) They're useful.
    2) They don't do anything malicious or "call home" or anything like that.

    I just came across another tool and thought I'd pick brains over here to try and narrow things down. So if you've got any experience with the following, please add your 2 cents:


    On the commercial front I usually use AppScan. On the free front I usually use w3af, waffit/wafw00f, Fiddler2 w/ Watcher, FF w/ Firebug and Tamper Data, sometimes Nikto (though kinda rarely these days). I've also used Ratproxy but like Fiddler w/ Watcher better.

    On a related note I just came across this thread which might be of interest to anyone reading or posting here.

    sla.ckers.org web application security forum :: Projects :: Web application scanner
    Last edited by thorin; 06-21-2010 at 03:06 PM. Reason: added WATBOBO
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  2. #2
    Junior Member Liuser's Avatar
    Join Date
    Apr 2010
    Posts
    58

    Default Re: Web App Assessment Tool Opinions

    I have been using Skipfish. Very impressive with the amount of requests it makes and presents the data in a nice user friendly web GUI. It takes quite a bit of time to sift through the results. Nonetheless, great for identifying potential injections, Cross-scripting vulnerabilities, login screens, "interesting" files, etc. Sometimes generates a handful of false positives, but then again, it could just be attributed to my lack of skill with verifying the vulnerabilities.

    The BurpSuite is another great tool. Not sure if you have experimented with it yet.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Web App Assessment Tool Opinions

    Thanks Liuser, yes actually I do also have access to BurpSuite Pro here at work. The interface seems kinda klunky to me so I've never become a huge fan though others in my group really are.

    Anyone else have any experience with any of these tools?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Moderator firebits's Avatar
    Join Date
    Mar 2010
    Location
    Brazil
    Posts
    353

    Default Re: Web App Assessment Tool Opinions

    I used Wapiti - Web application security auditor in python.

    Very easy and console commands.

    Sorry my bad english

  5. #5
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default Re: Web App Assessment Tool Opinions

    If you are looking for new vulnerabilities then you should really consider writing your own scripts. The problem with fuzz tools is that someone else is looking for vulnerabilities using the same tools in the same manner as you are (probably with better equipment). If you are familiar with SPIKE I would give Spike proxy a try.

    IMMUNITY : Knowing You're Secure

  6. #6

    Default Re: Web App Assessment Tool Opinions

    skipfish got a lot of infosec media attention and lcamtuf is the man, but my tests didn't convince me to use if for serious testing - besides if you look on pure performance (i don't audit amazon s3 or google cloud ;-), but a way too much false positives, seriously impacting some web server performance ;-) and needs definitely some improvement (I'm sure lcumtuf is using internally at google an optimized version ;-)

    As with any other pentesting area, there is NO the-tool-doing-anything-for-me-perfect-job, same thing with http-proxies. Burp Pro is great, Spike is great, ratproxy is sometimes enough and so on...

    I personally do use extensively w3af (even with instability issues), webscarab, dirbuster, whatWeb, Burp and for fuzzing you need some home-gr0wn scripts anyway.

    On a commercial side we do have WebInspect (fancy GUI, fancy reports), which I've to say it does a quite good job for doing some large web-app testing and identifying the most obvious vuls; and from there to proceed further with manual testing.

    /brtw2003
    Last edited by brtw2003; 06-01-2010 at 07:08 AM.

  7. #7
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Web App Assessment Tool Opinions

    I do believe that using multiple tools along with a bunch of manual testing (scripted or otherwise) is the way to go for Web App assessments.

    I'm still hoping that someone out there has some input on Websecurify (which I believe grew out of GNUCitizen) or Netsparker (which has been listed on a few mailing lists lately).

    Grendel-scan I'm not as concerned with, it's been out a while and doesn't seem to get much attention. This leads me to conclude (perhaps wrongly...but I'm just trying to explain) that it's not that great.

    Skipfish, got a lot of attention simply due to where it came from. I've heard mixed reviews.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  8. #8
    Junior Member Liuser's Avatar
    Join Date
    Apr 2010
    Posts
    58

    Default Re: Web App Assessment Tool Opinions

    It looks like the predominate tools listed here are scanners that test the web application externally. However, would you have any recommendations for scanners that analyze code?

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Web App Assessment Tool Opinions

    For java or JSP I've used PMD in the past.

    In the majority of cases (~95%) I've found that my clients fall in to two categories. 1) Those unwilling to share their code. 2) Those that are unwilling to spend more money on code assessment (though usually when we quote this we're talking both automated and manual tasks).
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Web App Assessment Tool Opinions

    @Liuser
    Here's something else you might wanna check out for PHP:
    RIPS – A static source code analyser for vulnerabilities in PHP scripts
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 03-20-2010, 01:13 AM
  2. Opinions please...
    By spybrat in forum OLD Newbie Area
    Replies: 10
    Last Post: 09-18-2009, 07:25 AM
  3. A tool which automates wireless assessment
    By wif1bust3r in forum OLD Newbie Area
    Replies: 6
    Last Post: 06-07-2009, 11:14 AM
  4. Opinions on Alfa-AWUS036H
    By Andy_R in forum OLD Newbie Area
    Replies: 4
    Last Post: 07-10-2008, 07:30 AM
  5. IPTV Security Assessment?
    By jorgan in forum OLD Pentesting
    Replies: 9
    Last Post: 04-23-2008, 10:51 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •