looking for web vuln scanner

[webtrol]

hi all,
I'm looking for advice on web app scanner.
It has to:
Allow scanning only selected pages from the website.
It has to be able to be used in a production environment ( so must not generate too much traffic).
I tried few but they always want to follow the links, and some seem to generate enough traffic to affect the response times of the sites.
Last one I tried was skipfish - but it seems to want to scan everything ( as you would expect of a Google tool).

I'm looking for web app scanner, that can be used to scan just selected few pages...
any ideas?

Sin-cerely,
Trol

[Kx499]

I've heard good things about burp suite, have yet to play with it though.

Here's a link to a post about it I remember seeing some time ago: http://www.backtrack-linux.org/forum...urp-suite.html

[lupin]

I've heard good things about burp suite, have yet to play with it though.

Here's a link to a post about it I remember seeing some time ago: http://www.backtrack-linux.org/forum...urp-suite.html

Burp Suite rocks. You can set filters for pages you want to have included in either passive or active scanning, and you can manually select pages to be scanned. Its a fantastic scanner, and its cheap (ludicrously cheap compared to the other commercial alternatives).

Plus it integrates the scanner into the overall suite which makes use of the intercepting proxy for finding pages to scan, and functions like the Repeater and Intruder are fantastic for doing manual testing and tweaking of web app attacks. Cannot recommend Burp Suite Pro highly enough.

There is also a thread here in the Experts forum started by thorin discussing web app scanners you might want to look at.

[jirtos]

Yeap, Burp Suite is smth that is doing some hard work for me, but to be honest, for webapp testing i am combining it with W3AF. And nowadays W3AF is beginning to play the main role in this kind of testing.

[lupin]

Yeap, Burp Suite is smth that is doing some hard work for me, but to be honest, for webapp testing i am combining it with W3AF. And nowadays W3AF is beginning to play the main role in this kind of testing.

I have heard good things about w3af from some people, and bad things from others. My own experiences with it have not been great - for one thing I find its use very hard to integrate into my workflow.

[purehate]

At work we currently have:
Acunetix
Web inspect
Appsec
Burp Suite
w3af

Out of all these I find myself using burp more than any thing and as was already said its a steal compared to any others.

[crweedon]

i have used:
Web Inspect
NTO spider
Accunetix
Burp
W3af

web inspect is a little heavy, on both network and system resources but if you tweak the settings heavily to get it "just so" it works pretty well. check the free trial on some obscure HP site

NTO=awesome.... if you don't mind DoS'ing your servers, even with the throttle setting all the way down it DoSes boxes, but at least it's got great accuracy

Accunetix has some great features, but many of them are inappropriate for a production environment

Burp is everything, everyone already said, cheap, highly configurable and pretty easy to work with

w3af, like lupin i have had, and heard of mixed results. some times it's amazing and just flies through a scan, other times it breaks miserably over and over

^just my 2 cents^

[thorin]

Along with what others have mentioned you might also want to checkout out some web app passive security tools like Ratproxy (from Google) and Fiddler2 (along with the Watcher plugin).

For doing your own manual type testing you might wanna checkout the following plugins for Firefox:
Tamper Data
FireBug

[webtrol]

thank you for all that responded.
Burp suite is exactly what i was looking for!!!

Sin-cerely,
Trol

[crankenstein]

You might consider chaining Your Browser to Ratproxy to Burpsuite for even better results. In that order. Happy Pentesting.