Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: looking for web vuln scanner

Hybrid View

  1. #1
    Member webtrol's Avatar
    Join Date
    Jan 2010
    Posts
    113

    Default looking for web vuln scanner

    hi all,
    I'm looking for advice on web app scanner.
    It has to:
    Allow scanning only selected pages from the website.
    It has to be able to be used in a production environment ( so must not generate too much traffic).
    I tried few but they always want to follow the links, and some seem to generate enough traffic to affect the response times of the sites.
    Last one I tried was skipfish - but it seems to want to scan everything ( as you would expect of a Google tool).

    I'm looking for web app scanner, that can be used to scan just selected few pages...
    any ideas?

    Sin-cerely,
    Trol

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    35

    Default Re: looking for web vuln scanner

    I've heard good things about burp suite, have yet to play with it though.

    Here's a link to a post about it I remember seeing some time ago: http://www.backtrack-linux.org/forum...urp-suite.html

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: looking for web vuln scanner

    Quote Originally Posted by Kx499 View Post
    I've heard good things about burp suite, have yet to play with it though.

    Here's a link to a post about it I remember seeing some time ago: http://www.backtrack-linux.org/forum...urp-suite.html
    Burp Suite rocks. You can set filters for pages you want to have included in either passive or active scanning, and you can manually select pages to be scanned. Its a fantastic scanner, and its cheap (ludicrously cheap compared to the other commercial alternatives).

    Plus it integrates the scanner into the overall suite which makes use of the intercepting proxy for finding pages to scan, and functions like the Repeater and Intruder are fantastic for doing manual testing and tweaking of web app attacks. Cannot recommend Burp Suite Pro highly enough.

    There is also a thread here in the Experts forum started by thorin discussing web app scanners you might want to look at.
    Last edited by lupin; 02-02-2011 at 12:20 PM. Reason: Typos
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Junior Member jirtos's Avatar
    Join Date
    Jan 2011
    Posts
    28

    Default Re: looking for web vuln scanner

    Yeap, Burp Suite is smth that is doing some hard work for me, but to be honest, for webapp testing i am combining it with W3AF. And nowadays W3AF is beginning to play the main role in this kind of testing.

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: looking for web vuln scanner

    Quote Originally Posted by jirtos View Post
    Yeap, Burp Suite is smth that is doing some hard work for me, but to be honest, for webapp testing i am combining it with W3AF. And nowadays W3AF is beginning to play the main role in this kind of testing.
    I have heard good things about w3af from some people, and bad things from others. My own experiences with it have not been great - for one thing I find its use very hard to integrate into my workflow.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default Re: looking for web vuln scanner

    At work we currently have:
    Acunetix
    Web inspect
    Appsec
    Burp Suite
    w3af

    Out of all these I find myself using burp more than any thing and as was already said its a steal compared to any others.

  7. #7
    Senior Member
    Join Date
    Feb 2010
    Posts
    146

    Default Re: looking for web vuln scanner

    i have used:
    Web Inspect
    NTO spider
    Accunetix
    Burp
    W3af

    web inspect is a little heavy, on both network and system resources but if you tweak the settings heavily to get it "just so" it works pretty well. check the free trial on some obscure HP site

    NTO=awesome.... if you don't mind DoS'ing your servers, even with the throttle setting all the way down it DoSes boxes, but at least it's got great accuracy

    Accunetix has some great features, but many of them are inappropriate for a production environment

    Burp is everything, everyone already said, cheap, highly configurable and pretty easy to work with

    w3af, like lupin i have had, and heard of mixed results. some times it's amazing and just flies through a scan, other times it breaks miserably over and over

    ^just my 2 cents^
    open source = open minds, human knowledge belongs to the world

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: looking for web vuln scanner

    Along with what others have mentioned you might also want to checkout out some web app passive security tools like Ratproxy (from Google) and Fiddler2 (along with the Watcher plugin).

    For doing your own manual type testing you might wanna checkout the following plugins for Firefox:
    Tamper Data
    FireBug
    Last edited by thorin; 02-09-2011 at 03:00 AM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Member webtrol's Avatar
    Join Date
    Jan 2010
    Posts
    113

    Default Re: looking for web vuln scanner

    thank you for all that responded.
    Burp suite is exactly what i was looking for!!!

    Sin-cerely,
    Trol

  10. #10
    Just burned his ISO
    Join Date
    Feb 2011
    Posts
    3

    Default Re: looking for web vuln scanner

    You might consider chaining Your Browser to Ratproxy to Burpsuite for even better results. In that order. Happy Pentesting.

Page 1 of 2 12 LastLast

Similar Threads

  1. e-cms vuln info?
    By savek in forum Beginners Forum
    Replies: 2
    Last Post: 05-18-2010, 12:47 PM
  2. dd-wrt Remote Root Vuln
    By thorin in forum OLD General IT Discussion
    Replies: 6
    Last Post: 07-29-2009, 05:49 PM
  3. no vnc vuln scanner?
    By kooze in forum OLD BackTrack 3 Final
    Replies: 2
    Last Post: 09-16-2008, 08:27 AM
  4. hellsing : vuln test
    By shamanvirtuel in forum OLD Pentesting
    Replies: 1
    Last Post: 12-31-2007, 01:08 PM
  5. open-ssl vuln & new fixing version
    By shamanvirtuel in forum OLD Pentesting
    Replies: 3
    Last Post: 10-25-2007, 05:22 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •