Re: Vuln Scanner for Web App Source Code

[Christian Nanne <cnanne () gmail com>]

Thanks everybody for the prompt responses I will give it a try to some  
of the tools and see how it goes from there.
On May 19, 2008, at 3:01 PM, Dan Denton wrote:

> I'd highly recommend Paros Proxy for this task. We've used it with  
> success
> in locating pages vulnerable to XSS and SQLI. The product acts as a  
> proxy
> server, and also has a spider program built in. Once you've accessed  
> the
> pages you want to access, you can use the spider to crawl the rest  
> of the
> site, then run Paros's report program to analyze the results.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ] On
> Behalf Of Paul J. Brickett
> Sent: Monday, May 19, 2008 9:10 AM
> To: cnanne () gmail com
> Cc: security-basics () securityfocus com;
> security-basics-return-49117 () securityfocus com
> Subject: Re: Vuln Scanner for Web App Source Code
>
> Acunetix Web Vulnerability Scanner will somewhat do this- it will
> attempt to manipulate various variables it detects in the pages
> you're scanning, then point
> out which variables in your souce are susceptible to unsanitized  
> input,
> cross site scripting, ect.
>
> That said, if you have the time doing this manually is the superior
> method. :)
>
> -PJB
>
> On Sun, 18 May 2008, cnanne () gmail com wrote:
>
> > This might be a bit of a dumb question, but does anyone know of a  
> > good
> Vulnerability Scanner for finding faults in the actual Source Code  
> of the
> Web App? Or can this task can only be done by hand?
> > Any feedback on this is highly appreciative
> >
> >
> > cheers,
> >
> > PhoenixRbrth