Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Tools comparison and evaluation question (AppScan)

RE: Tools comparison and evaluation question (AppScan)

From: arian.evans <arian.evans_at_anachronic.com>
Date: Fri, 17 Feb 2006 13:14:20 -0600

Serg,

I have an older list of tools here:
http://www.owasp.org/docroot/owasp/misc/OWASP_DC_2005_Presentations/Track_2-
Day1/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt

This info is dated. Several tools have matured, but so is the
complexity of applications on the Internet. I used to say SPI
had the best proxy, but it really depends on what you are testing.
SPI's proxy does not provide a way to manipulate data if you
have serialized data passing client<->server in the HTTP stream
(e.g.-you have something like an Eclipse rich client). A few
other products have proxies that do.

I'll be releasing an updated vendor list in PDF around the end
of the month, and possibly a sample testing app or two.

There is still enough variance between which tools do which tasks
better, that the best benchmark is your own software. For a while
SPI and Watchfire were the clear leaders, but now there are some
other tools with strengths (and weaknesses) to consider. At the
end of the day it all relies on what *you* need to do.

There does not yet exist a sample application and methodology in
the public domain for performing useful synthetic benchmarks. (I
hope SiteGenerator will change this soon.)

> software, what you find useful about it, what not, any annoyances,
> missing functionality, etc.

On sites with complex javascript menus with lots of links and URL
parameters, I have observed AppScan to hang or go into loops when
turned lose in completely automated fashion. That said, overall it
is still one of the best tools in the automated scanning domain.

> Second:
> Can anyone recommend any simular type of software, preferably open
> source (although not at all essential), and describe its performance,
> usability and "usefulness" so to speak using AppScan as a reference

Here's a list of tools I would consider evaluating:

Acunetix Enterprise WVS 3.0
Cenzic Hailstorm 3.0
NT Objectives NTOSpider 2.1
Syhunt Sandcat Suite
SPI Dynamics WebInspect 5.8
Watchfire Appscan 6

Manual testing tools:

Burp Suite 1.01
Ecyware BlueGreen Inspector
Paros Proxy
OWASP Webscarab

-ae

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Feb 17 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]