Re: web application scanning

[David Pirolo <webmaster () WARNERPACIFIC EDU>]

If you have 501(c)(3) status, the Nessus ProfessionalFeed subscription
is free.
http://www.tenable.com/about-tenable/tenable-in-the-community/tenable-charitable-organization-subscription-program

David Pirolo
Warner Pacific College

On Tue, 2012-02-07 at 17:38 -0500, Brian J Smith-Sweeney wrote:
> On Tue, Feb 7, 2012 at 2:44 PM, Michael Sheinberg
> <msheiny () seas upenn edu> wrote:
> > Hello,
> >
> > Does anyone here have any recommendations for tools (preferably
> > open-source) that will scan web-servers for vulnerable application
> > frameworks + plug-ins?
> >
> > Stuff like looking for out-of-date Drupal, Joomla, etc. Obviously I can
> > find some of these tools with Google on my own, just curious if anyone
> > has any positive experience with any in particular.
> I believe both Nikto and Nessus have tests for some frameworks, and
> regardless  are good to include in your web app assessment kit.
>
> We have mostly moved away from fully automated web assessment tools -
> we used to own WebInspect, but are dropping the license in favor of
> more manual/raw tools like Burp (just bought a few licenses), and
> WebScarab (has a good session ID analysis tool).  Burp is not open
> source but is incredibly cheap and extremely useful.
>
> If you're looking for some really soft targets to test your assessment
> tools against ,or want a packaged up version of some web app security
> tools, I suggest checking out the Web Security Dojo
> (http://www.mavensecurity.com/web_security_dojo/). It's a solid,
> self-contained practice and testing environment.
>
>
> Cheers,
> Brian
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Brian Smith-Sweeney            Project Lead
> ITS Technology Security Services, New York University
> http://www.nyu.edu/its/security
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~