Penetration Testing mailing list archives
Re: Web Application Tester
From: <petercheung () gawab com>
Date: 23 Sep 2004 10:27:44 -0000
In-Reply-To: <0FD9D979B9535D4890AE309799B6D1E59DA0B4 () lansingemail seqnt com> There is a paper from BlackHat: http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf which showed that automatic scanning solves half a problem. It's a must for any tester to dig into the web application to analyse it manually. petercheung () gawab com
I have to agree with you here - the cost of button pushing can be immense. I think SPI is a great tool, though not entirely perfect. I can't imagine trying to do multiple or large web sites all by hand - it simply wouldn't be as thorough for the same money. Of course, the ideal is to have enough volume for a consultants license for a year, then the cost is easily justified. That said, a tool is just a tool, and shouldn't be relied on for more than "brute force" checking of inputs, etc. Human intelligence is essential to doing a good job. Mark Lachniet=20-----Original Message----- From: A.R. [mailto:r00t () northernfortress net]=20 Sent: Thursday, September 16, 2004 8:45 PM To: chuan.delahosseraye () accenture com Cc: andrew () beegads com; pen-test () securityfocus com Subject: RE: Web Application Tester =20 I think that when having to choose between a free and a=20 commercial tool, it's all about figuring out the return of investment. =20 If it takes one week to manually inspect an application with nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for the "grunt" work plus 2 days for the manual refinement, the 4=20 days I gain are worth more than the ~1,000 dollars I have to=20 spend for a 7-days Appscan license. =20 In the end, I usually prefer to use Paros (free tool), but I=20 think that in some situations AppScan/WebInspect can be at=20 least worth a look, even if their price makes them look=20 unprofitable at first sight. =20 NB: I have never used AppDetective, so I am not saying in any=20 way that the other tools are better =20 Just my 2 cents, of course :) =20 A. =20 On Wed, 2004-09-15 at 15:27, chuan.delahosseraye () accenture com wrote:According to my previous search on a Web pen-test tools, AppScan,=20 WebInspect and Scando are all much more expensive than=20AppDetective.=20If cost is a concern, it might be possible to combine a=20selection of=20free tools such as: =20 - Nessus - Nikto - WebScarab - Achilles =20 But this would involve a lot of Manual works. =20 Hope this helps Chuan =20 -----Original Message----- From: A.R. [mailto:r00t () northernfortress net] Sent: 15 September 2004 12:27 To: andrew () beegads com Cc: pen-test () securityfocus com Subject: Re: Web Application Tester =20 Andrew, =20 I don't know what's your budget, but for web applications=20you can try=20the following commercial products: =20 - AppScan, by Sanctum (www.sanctuminc.com) - WebInspect, by Spidynamics (www.spidynamics.com) - ScanDo, by Kavado (www.kavado.com) =20 ...Or the good ol' Paros=20(http://www.proofsecure.com/download.shtml),open source and free =20 Hope this helps =20 Alberto Revelli Northern Fortress, Inc. =20 On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:Does anyone know of an application tester similar to AppDetective=20 thats not as hard on the pocket book? I need to pentest a web app and am looking for some tools =20 Thanks,=20 =20
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: Web Application Tester, (continued)
- Re: Web Application Tester mkraisi (Sep 15)
- RE: Web Application Tester Hayden Searle (Sep 15)
- Re: Web Application Tester Mambo Dsouza (Sep 16)
- RE: Web Application Tester John Floyd (Sep 16)
- RE: Web Application Tester chuan.delahosseraye (Sep 16)
- RE: Web Application Tester A.R. (Sep 18)
- RE: Web Application Tester dseth (Sep 17)
- RE: Web Application Tester BĂ©noni MARTIN (Sep 17)
- RE: Web Application Tester Bowes, Ronald (EST) (Sep 18)
- RE: Web Application Tester Lachniet, Mark (Sep 21)
- Re: Web Application Tester petercheung (Sep 23)
- RE: Web Application Tester Todd Towles (Sep 24)