Security Basics mailing list archives

Re: web application vulnerability tools list needed

From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 03 Mar 2011 13:22:59 -0600


"Gary Hansen" <Gary.Hansen () xirrus com> writes:

I am curious what input anyone would have regarding Nessus and/or Retina
Scan, when compared to these other tools?


To Gary's question, I'd say Nessus quite simply isn't a web app vuln
scanner. It's an excellent network vuln scanner.  It can do some web
tests, yes, but it's not a web app vuln scanner.  In that space of
"network vuln assessment tools that also dabble in web stuff" Rapid7's
Nexpose seems to have more effort placed in the web test realm.

eEye's Retina I have no experience with... it's also a network vuln
scanner I believe.  Like the competitors mentioned above I imagine
they're trying to do web app stuff too.

Retina/Nessus/Nexpose largely are going to query ports, fingerprint
them, divine a version from them, if given credentials will scrape the
machine to validate those assumptions, and tell you a list of known
vulnerabilities in that software.  You need to patch ssh, you have an
ancient version of Solaris, you have a JVM installed from 1998, your
passwords never expire, etc.  Real web app scanners, though are
fuzzers of sorts -- that can be turned loose against custom apps,
modifying inputs across the attack surface of the application, and
make decisions about OWASP type vulnerabilities.  They'll tell you
"form blah looks to have an SQL injection issue," or "this field has a
cross site scripting vuln"  or "I can do LDAP injection via this login
form"  or "your session management on this app looks entirely broken." 

That said, where the rubber meets the road on dynamic web app scanners
though:

IBM Appscan (they bough Watchfire) and HP WebInspect and AMP (they
bought SPI Dynamics) are the heavy hitters I'm aware of in the web app
scanning space.  HP's recent acquisition of Fortify on the code
scanning side makes a compelling combination for those tasked with
enterprise wide management of web app security.  IBM bought Ounce with
similar thoughts, but I don't get nearly the "they seem to get it"
vibe I do from HP and the evangelism their Rafal Los is shopping to
the masses.

All points folks have made about the limitations of automated dynamic
testing are well advised, though.  

Now, for individual tests or consulting on single app engagements (and
when you aren't burdened with pesky things like trending and metrics,
discovery, and have way more apps to deal with than you could ever
hand test) Portswigger's Burp Suite Pro scanner + manual effort
automated by savvy use of Burp Suite is a better time spend in the
opinion of many than [Webinspect or Appscan + the time you need to
take validate and weed out all the false positives].

The other angles you can take at web app assessment include static
binary analysis -- e.g. Veracode.  This approach stands between
dyanmic tests on running apps and doing source code review, and is
something you can do beyond dynamic testing for things you don't have
source code for.

And then there's code scanning and review -- which is where the
Fortify and Ounce tools play.

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of AK
Sent: Monday, February 28, 2011 4:38 PM
To: Rajesh R
Cc: pen-test () securityfocus com; security-basics () securityfocus com
Subject: Re: web application vulnerability tools list needed

Have you tried googling?
http://www.owasp.org/index.php/Category:Penetration_Testing_Tools

On 02/28/2011 07:54 PM, Rajesh R wrote:

Hi


As I need to do vulnerability assessment for a web application in my
project .Please
let me know the tools which are available to find out vulnerability in

a web

application.

for both platforms windows and unix/linux and also both
opensource/commercial products.

Thanks

--

------------------------------------------

Thanks,

Rajesh R

Mobile: +91-9000-581-806

--
-- thanasisk

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate. We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: web application vulnerability tools list needed Xavier (Mar 01)
- Re: web application vulnerability tools list needed Steve Steiner (Mar 03)
- <Possible follow-ups>
- Re: web application vulnerability tools list needed Luciano Mazzella (Mar 01)
  - Re: web application vulnerability tools list needed Bora Özden (Mar 03)
  - RE: web application vulnerability tools list needed Paul Sutton (Mar 23)
- Re: web application vulnerability tools list needed AK (Mar 01)
  - RE: web application vulnerability tools list needed Hung Lee (Mar 03)
  - RE: web application vulnerability tools list needed Gary Hansen (Mar 03)
    - RE: web application vulnerability tools list needed Hung Lee (Mar 03)
    - Re: web application vulnerability tools list needed Todd Haverkos (Mar 03)
    - RE: web application vulnerability tools list needed Gary Hansen (Mar 03)
- Re: web application vulnerability tools list needed TAS (Mar 01)
- RE: web application vulnerability tools list needed Shalini Chandel (Mar 01)
- Re: web application vulnerability tools list needed psiinon (Mar 01)
- Re: web application vulnerability tools list needed Tasos Laskos (Mar 01)
- Re: web application vulnerability tools list needed Robson de Oliveira Albuquerque (Mar 01)
- Re: web application vulnerability tools list needed James Light (Mar 03)
- Re: web application vulnerability tools list needed FV (Mar 03)
- Re: web application vulnerability tools list needed Vedantam Sekhar (Mar 03)
- Re: web application vulnerability tools list needed Security Auditor (Mar 03)