Educause Security Discussion mailing list archives
Re: web application scanning
From: David Pirolo <webmaster () WARNERPACIFIC EDU>
Date: Tue, 7 Feb 2012 14:47:20 -0800
If you have 501(c)(3) status, the Nessus ProfessionalFeed subscription is free. http://www.tenable.com/about-tenable/tenable-in-the-community/tenable-charitable-organization-subscription-program David Pirolo Warner Pacific College On Tue, 2012-02-07 at 17:38 -0500, Brian J Smith-Sweeney wrote:
On Tue, Feb 7, 2012 at 2:44 PM, Michael Sheinberg <msheiny () seas upenn edu> wrote:Hello, Does anyone here have any recommendations for tools (preferably open-source) that will scan web-servers for vulnerable application frameworks + plug-ins? Stuff like looking for out-of-date Drupal, Joomla, etc. Obviously I can find some of these tools with Google on my own, just curious if anyone has any positive experience with any in particular.I believe both Nikto and Nessus have tests for some frameworks, and regardless are good to include in your web app assessment kit. We have mostly moved away from fully automated web assessment tools - we used to own WebInspect, but are dropping the license in favor of more manual/raw tools like Burp (just bought a few licenses), and WebScarab (has a good session ID analysis tool). Burp is not open source but is incredibly cheap and extremely useful. If you're looking for some really soft targets to test your assessment tools against ,or want a packaged up version of some web app security tools, I suggest checking out the Web Security Dojo (http://www.mavensecurity.com/web_security_dojo/). It's a solid, self-contained practice and testing environment. Cheers, Brian ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Smith-Sweeney Project Lead ITS Technology Security Services, New York University http://www.nyu.edu/its/security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- web application scanning Michael Sheinberg (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)
- Re: web application scanning Indir Avdagic (Feb 07)
- Re: web application scanning Greg Williams (Feb 07)
- Re: web application scanning randy marchany (Feb 07)
- Re: web application scanning Chris Green (Feb 08)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Seth Hall (Feb 07)
- Re: web application scanning Brian J Smith-Sweeney (Feb 07)
- Re: web application scanning David Pirolo (Feb 07)
- Re: web application scanning Paul Lepkowski (Feb 07)