Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Web Application Tester
From: "A.R." <r00t () northernfortress net>
Date: Fri, 17 Sep 2004 00:44:34 +0000

I think that when having to choose between a free and a commercial tool,
it's all about figuring out the return of investment.

If it takes one week to manually inspect an application with
nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
the "grunt" work plus 2 days for the manual refinement, the 4 days I
gain are worth more than the ~1,000 dollars I have to spend for a 7-days
Appscan license.

In the end, I usually prefer to use Paros (free tool), but I think that
in some situations AppScan/WebInspect can be at least worth a look, even
if their price makes them look unprofitable at first sight.

NB: I have never used AppDetective, so I am not saying in any way that
the other tools are better

Just my 2 cents, of course :)


On Wed, 2004-09-15 at 15:27, chuan.delahosseraye () accenture com wrote:
According to my previous search on a Web pen-test tools, AppScan,
WebInspect and Scando are all much more expensive than AppDetective. If
cost is a concern, it might be possible to combine a selection of free
tools such as:

- Nessus
- Nikto
- WebScarab
- Achilles

But this would involve a lot of Manual works.

Hope this helps

-----Original Message-----
From: A.R. [mailto:r00t () northernfortress net] 
Sent: 15 September 2004 12:27
To: andrew () beegads com
Cc: pen-test () securityfocus com
Subject: Re: Web Application Tester


I don't know what's your budget, but for web applications you can try
the following commercial products:

- AppScan, by Sanctum (www.sanctuminc.com)
- WebInspect, by Spidynamics (www.spidynamics.com)
- ScanDo, by Kavado (www.kavado.com)

...Or the good ol' Paros (http://www.proofsecure.com/download.shtml),
open source and free

Hope this helps

Alberto Revelli
Northern Fortress, Inc.

On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:
Does anyone know of an application tester similar to AppDetective
thats not as hard on the pocket book?
I need to pentest a web app and am looking for some tools


Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]