Penetration Testing mailing list archives

RE: Web Application Tester

From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Tue, 21 Sep 2004 08:49:39 -0400

I have to agree with you here - the cost of button pushing can be
immense.  I think SPI is a great tool, though not entirely perfect.  I
can't imagine trying to do multiple or large web sites all by hand - it
simply wouldn't be as thorough for the same money.  Of course, the ideal
is to have enough volume for a consultants license for a year, then the
cost is easily justified.  That said, a tool is just a tool, and
shouldn't be relied on for more than "brute force" checking of inputs,
etc.  Human intelligence is essential to doing a good job.

Mark Lachniet

-----Original Message-----
From: A.R. [mailto:r00t () northernfortress net] 
Sent: Thursday, September 16, 2004 8:45 PM
To: chuan.delahosseraye () accenture com
Cc: andrew () beegads com; pen-test () securityfocus com
Subject: RE: Web Application Tester

I think that when having to choose between a free and a 
commercial tool, it's all about figuring out the return of investment.

If it takes one week to manually inspect an application with
nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
the "grunt" work plus 2 days for the manual refinement, the 4 
days I gain are worth more than the ~1,000 dollars I have to 
spend for a 7-days Appscan license.

In the end, I usually prefer to use Paros (free tool), but I 
think that in some situations AppScan/WebInspect can be at 
least worth a look, even if their price makes them look 
unprofitable at first sight.

NB: I have never used AppDetective, so I am not saying in any 
way that the other tools are better

Just my 2 cents, of course :)

A.

On Wed, 2004-09-15 at 15:27, chuan.delahosseraye () accenture com wrote:

According to my previous search on a Web pen-test tools, AppScan, 
WebInspect and Scando are all much more expensive than

AppDetective.

If cost is a concern, it might be possible to combine a

selection of

free tools such as:

- Nessus
- Nikto
- WebScarab
- Achilles

But this would involve a lot of Manual works.

Hope this helps
Chuan

-----Original Message-----
From: A.R. [mailto:r00t () northernfortress net]
Sent: 15 September 2004 12:27
To: andrew () beegads com
Cc: pen-test () securityfocus com
Subject: Re: Web Application Tester

Andrew,

I don't know what's your budget, but for web applications

you can try

the following commercial products:

- AppScan, by Sanctum (www.sanctuminc.com)
- WebInspect, by Spidynamics (www.spidynamics.com)
- ScanDo, by Kavado (www.kavado.com)

...Or the good ol' Paros

(http://www.proofsecure.com/download.shtml),

open source and free

Hope this helps

Alberto Revelli
Northern Fortress, Inc.

On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:

Does anyone know of an application tester similar to AppDetective 
thats not as hard on the pocket book?
I need to pentest a web app and am looking for some tools

Thanks,



--------------------------------------------------------------
----------------
Ethical Hacking at the InfoSec Institute. All of our class 
sizes are guaranteed to be 12 students or less to facilitate 
one-on-one interaction with one of our expert instructors. 
Check out our Advanced Hacking course, learn to write 
exploits and attack security infrastructure. Attend a course 
taught by an expert instructor with years of in-the-field pen 
testing experience in our state of the art hacking lab. 
Master the skills of an Ethical Hacker to better assess the 
security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
-----------------


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

Current thread:

Re: Web Application Tester, (continued)
- Re: Web Application Tester Darren Bounds (Sep 21)
- Re: Web Application Tester mkraisi (Sep 15)
- RE: Web Application Tester Hayden Searle (Sep 15)
  - Re: Web Application Tester Mambo Dsouza (Sep 16)
- RE: Web Application Tester John Floyd (Sep 16)
- RE: Web Application Tester chuan.delahosseraye (Sep 16)
  - RE: Web Application Tester A.R. (Sep 18)
- RE: Web Application Tester dseth (Sep 17)
- RE: Web Application Tester Bénoni MARTIN (Sep 17)
- RE: Web Application Tester Bowes, Ronald (EST) (Sep 18)
- RE: Web Application Tester Lachniet, Mark (Sep 21)
- Re: Web Application Tester petercheung (Sep 23)
- RE: Web Application Tester Todd Towles (Sep 24)