Security Basics mailing list archives
Re: web application vulnerability tools list needed
From: Todd Haverkos <infosec () haverkos com>
Date: Thu, 03 Mar 2011 13:22:59 -0600
"Gary Hansen" <Gary.Hansen () xirrus com> writes:
I am curious what input anyone would have regarding Nessus and/or Retina Scan, when compared to these other tools?
To Gary's question, I'd say Nessus quite simply isn't a web app vuln scanner. It's an excellent network vuln scanner. It can do some web tests, yes, but it's not a web app vuln scanner. In that space of "network vuln assessment tools that also dabble in web stuff" Rapid7's Nexpose seems to have more effort placed in the web test realm. eEye's Retina I have no experience with... it's also a network vuln scanner I believe. Like the competitors mentioned above I imagine they're trying to do web app stuff too. Retina/Nessus/Nexpose largely are going to query ports, fingerprint them, divine a version from them, if given credentials will scrape the machine to validate those assumptions, and tell you a list of known vulnerabilities in that software. You need to patch ssh, you have an ancient version of Solaris, you have a JVM installed from 1998, your passwords never expire, etc. Real web app scanners, though are fuzzers of sorts -- that can be turned loose against custom apps, modifying inputs across the attack surface of the application, and make decisions about OWASP type vulnerabilities. They'll tell you "form blah looks to have an SQL injection issue," or "this field has a cross site scripting vuln" or "I can do LDAP injection via this login form" or "your session management on this app looks entirely broken." That said, where the rubber meets the road on dynamic web app scanners though: IBM Appscan (they bough Watchfire) and HP WebInspect and AMP (they bought SPI Dynamics) are the heavy hitters I'm aware of in the web app scanning space. HP's recent acquisition of Fortify on the code scanning side makes a compelling combination for those tasked with enterprise wide management of web app security. IBM bought Ounce with similar thoughts, but I don't get nearly the "they seem to get it" vibe I do from HP and the evangelism their Rafal Los is shopping to the masses. All points folks have made about the limitations of automated dynamic testing are well advised, though. Now, for individual tests or consulting on single app engagements (and when you aren't burdened with pesky things like trending and metrics, discovery, and have way more apps to deal with than you could ever hand test) Portswigger's Burp Suite Pro scanner + manual effort automated by savvy use of Burp Suite is a better time spend in the opinion of many than [Webinspect or Appscan + the time you need to take validate and weed out all the false positives]. The other angles you can take at web app assessment include static binary analysis -- e.g. Veracode. This approach stands between dyanmic tests on running apps and doing source code review, and is something you can do beyond dynamic testing for things you don't have source code for. And then there's code scanning and review -- which is where the Fortify and Ounce tools play. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of AK Sent: Monday, February 28, 2011 4:38 PM To: Rajesh R Cc: pen-test () securityfocus com; security-basics () securityfocus com Subject: Re: web application vulnerability tools list needed Have you tried googling? http://www.owasp.org/index.php/Category:Penetration_Testing_Tools On 02/28/2011 07:54 PM, Rajesh R wrote:Hi As I need to do vulnerability assessment for a web application in my project .Please let me know the tools which are available to find out vulnerability ina webapplication. for both platforms windows and unix/linux and also both opensource/commercial products. Thanks -- ------------------------------------------ Thanks, Rajesh R Mobile: +91-9000-581-806-- -- thanasisk ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442 f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: web application vulnerability tools list needed Xavier (Mar 01)
- Re: web application vulnerability tools list needed Steve Steiner (Mar 03)
- <Possible follow-ups>
- Re: web application vulnerability tools list needed Luciano Mazzella (Mar 01)
- Re: web application vulnerability tools list needed Bora Ă–zden (Mar 03)
- RE: web application vulnerability tools list needed Paul Sutton (Mar 23)
- Re: web application vulnerability tools list needed AK (Mar 01)
- RE: web application vulnerability tools list needed Hung Lee (Mar 03)
- RE: web application vulnerability tools list needed Gary Hansen (Mar 03)
- RE: web application vulnerability tools list needed Hung Lee (Mar 03)
- Re: web application vulnerability tools list needed Todd Haverkos (Mar 03)
- RE: web application vulnerability tools list needed Gary Hansen (Mar 03)
- Re: web application vulnerability tools list needed TAS (Mar 01)
- RE: web application vulnerability tools list needed Shalini Chandel (Mar 01)
- Re: web application vulnerability tools list needed psiinon (Mar 01)
- Re: web application vulnerability tools list needed Tasos Laskos (Mar 01)
- Re: web application vulnerability tools list needed Robson de Oliveira Albuquerque (Mar 01)
- Re: web application vulnerability tools list needed James Light (Mar 03)
- Re: web application vulnerability tools list needed FV (Mar 03)
- Re: web application vulnerability tools list needed Vedantam Sekhar (Mar 03)
- Re: web application vulnerability tools list needed Security Auditor (Mar 03)