Penetration Testing mailing list archives
Re: Sensepost Wikto vs E-Or
From: Roelof Temmingh <roelof () sensepost com>
Date: Mon, 8 May 2006 15:41:57 +0200 (SAST)
-------- Original Message -------- Subject: Sensepost Wikto vs E-Or Date: Fri, 05 May 2006 15:49:44 +0800 From: Mike Gilligan <mikewgilligan () hotmail com> To: pen-test () securityfocus com Hi list Could someone familiar with the whole Web Application Assessment space educate me on the differences between the Sensepost Wikto and E-Or tools? They both appear to be Web Application Assessment tools but I'm sure there are subtle if not very obvious differences that I'm missing. Thanks, Mike. ----------------------------------- Perhaps I can shed some light on this. Wikto was never intended for web application testing - it does very little in the application space, but is rather used the find problems on the server hosting the application -e.g. it does an intelligent run of the Nikto database, it looks for common directories and files in the found directories, and it performs a scan of the Google Scan database. In other words - Wikto will spot mistakes on the web server, but does not say anything about the web application (or very little). E-Or on the other hand is aimed at the application itself - it does not try to comment on the web server where the application is hosted. As such, E-Or will look for problems in parameter handling, database injection etc. and not if the web server hosting the application is secure. The crowbar application plays in the same space - it on a lower level - e.g. sending different forms of the same request and looking at the differences in the response. In the past couple of months it became clear that these type of testing is very much related - e.g. the lines between application and server is blurring more and more. As such SensePost will be releasing an appplication that will combine the efforts put into Wikto, E-Or and Crowbar into a single application - this will be called the SensePost Suru WebProxy and is due for release at BlackHat Las Vegas 2006. Wikto, E-Or and Crowbar can be found at http://www.sensepost.com/research/ I hope this shed some light on the use of the different applications. Regards, Roelof. ===================== Roelof Temmingh + 27 12 460 0880 GMT+2 ===================== ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Sensepost Wikto vs E-Or Mike Gilligan (May 07)
- <Possible follow-ups>
- Re: Sensepost Wikto vs E-Or Roelof Temmingh (May 08)