Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: FW: Tools comparison and evaluation question (AppScan)

RE: FW: Tools comparison and evaluation question (AppScan)

From: Erwin Geirnaert <egeirnaert_at_securityinnovation.be>
Date: Fri, 17 Feb 2006 17:43:58 +0100

 
Nobody played with HailStorm from Cenzic yet?
>From my personal experience: it looks great and has a good performance
to scan web apps. It allows to automate certain things like boundary
testing, privilege escalation or bypass authorization.

Because I do a lot of manual security testing with open-source tools, I
don't like tools that only scan things by fuzzing parameters and show a
lot of false positives. If I can't see how attacks are executed and I
can't customize the attack patterns it has no usage for me.

All depends on what you are looking for: low hanging fruit or an
assessment tool that can be used and shared in the development phase by
developers nd testers.

I hope that the project at Owasp about the web app scan market (is it a
project or an individual initiative?) is able to shed some light on the
real power of commercial tools. I can imagine that when you need
automated assessment tools and only can rely on Google or banners on
security sites (or even mailing list adds :)) to learn about these
products, you don't know what to choose.

Erwin

-----Original Message-----
From: Peter Wood [mailto:peterw_at_firstbase.co.uk]
Sent: vrijdag 17 februari 2006 16:06
To: webappsec_at_securityfocus.com
Cc: Charles'
Subject: Re: FW: Tools comparison and evaluation question (AppScan)

We use WebInspect on a daily basis too, and have done so since version
1.0. It's an excellent tool with some excellent (and constantly
improving) utilities.

Pete

At 13:46 17/02/2006 +0000, Xyberpix wrote:
>I use WebInspect pretty much ona daily basis, and wouldn't trade it
>for anything.
>As far as tools go, it really is a worthwhile addition.
>
>xyberpix
>
>>-----Original Message-----
>>From: Burke, Charles
>>Sent: Friday, February 17, 2006 7:47 AM
>>To: 'Serg Belokamen'
>>Subject: RE: Tools comparison and evaluation question (AppScan) >>
>>Also, WebInspect is a very good (commercial) tool. It also includes
>>some invaluable utilities (Sql Injector, etc) that are a step above
>>their open source competitors.
>>
>>-----Original Message-----
>>From: Serg Belokamen [serg.belokamen_at_gmail.com]
>>Sent: Friday, February 17, 2006 2:04 AM
>>To: webappsec_at_securityfocus.com
>>Subject: Tools comparison and evaluation question (AppScan) >> >>
>>Hi All, >> >>I am currently looking at using/evaluating a tool
called AppScan (by >>watchfire.com).
>>
>>So the question is in two parts and ASAP reply would be greatly
>>appreciated.
>>
>>First:
>>Without starting a flame war (hopefully) or marketing campaign
(another
>>hopefully) can any one tell me abut their experience with the
software, >>what you find useful about it, what not, any annoyances,
missing >>functionality, etc.
>>
>>Second:
>>Can anyone recommend any simular type of software, preferably open
>>source (although not at all essential), and describe its performance,
>>usability and "usefulness" so to speak using AppScan as a reference
>>point.
>>
>> Thanks,
>> Serg

--------------------------------------------------------------------
Peter Wood FBCS CITP MIEEE MIMIS CISSP
Chief of Operations
First Base Technologies
Office: +44 (0)1273 454525
Mobile: +44 (0)7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk

------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------ 

--
-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics
ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Feb 17 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]