Re: Web Application Tester

[<petercheung () gawab com>]

In-Reply-To: <0FD9D979B9535D4890AE309799B6D1E59DA0B4 () lansingemail seqnt com>

There is a paper from BlackHat:

http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf

which showed that automatic scanning solves half a problem.  It's a must for any tester to dig into the web application 
to analyse it manually.

petercheung () gawab com

> I have to agree with you here - the cost of button pushing can be
> immense.  I think SPI is a great tool, though not entirely perfect.  I
> can't imagine trying to do multiple or large web sites all by hand - it
> simply wouldn't be as thorough for the same money.  Of course, the ideal
> is to have enough volume for a consultants license for a year, then the
> cost is easily justified.  That said, a tool is just a tool, and
> shouldn't be relied on for more than "brute force" checking of inputs,
> etc.  Human intelligence is essential to doing a good job.
>
> Mark Lachniet=20
>
> > -----Original Message-----
> > From: A.R. [mailto:r00t () northernfortress net]=20
> > Sent: Thursday, September 16, 2004 8:45 PM
> > To: chuan.delahosseraye () accenture com
> > Cc: andrew () beegads com; pen-test () securityfocus com
> > Subject: RE: Web Application Tester
> > =20
> > I think that when having to choose between a free and a=20
> > commercial tool, it's all about figuring out the return of investment.
> > =20
> > If it takes one week to manually inspect an application with
> > nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
> > the "grunt" work plus 2 days for the manual refinement, the 4=20
> > days I gain are worth more than the ~1,000 dollars I have to=20
> > spend for a 7-days Appscan license.
> > =20
> > In the end, I usually prefer to use Paros (free tool), but I=20
> > think that in some situations AppScan/WebInspect can be at=20
> > least worth a look, even if their price makes them look=20
> > unprofitable at first sight.
> > =20
> > NB: I have never used AppDetective, so I am not saying in any=20
> > way that the other tools are better
> > =20
> > Just my 2 cents, of course :)
> > =20
> > A.
> > =20
> > On Wed, 2004-09-15 at 15:27, chuan.delahosseraye () accenture com wrote:
> > > According to my previous search on a Web pen-test tools, AppScan,=20
> > > WebInspect and Scando are all much more expensive than=20
> > AppDetective.=20
> > > If cost is a concern, it might be possible to combine a=20
> > selection of=20
> > > free tools such as:
> > > =20
> > > - Nessus
> > > - Nikto
> > > - WebScarab
> > > - Achilles
> > > =20
> > > But this would involve a lot of Manual works.
> > > =20
> > > Hope this helps
> > > Chuan
> > > =20
> > > -----Original Message-----
> > > From: A.R. [mailto:r00t () northernfortress net]
> > > Sent: 15 September 2004 12:27
> > > To: andrew () beegads com
> > > Cc: pen-test () securityfocus com
> > > Subject: Re: Web Application Tester
> > > =20
> > > Andrew,
> > > =20
> > > I don't know what's your budget, but for web applications=20
> > you can try=20
> > > the following commercial products:
> > > =20
> > > - AppScan, by Sanctum (www.sanctuminc.com)
> > > - WebInspect, by Spidynamics (www.spidynamics.com)
> > > - ScanDo, by Kavado (www.kavado.com)
> > > =20
> > > ...Or the good ol' Paros=20
> > (http://www.proofsecure.com/download.shtml),
> > > open source and free
> > > =20
> > > Hope this helps
> > > =20
> > > Alberto Revelli
> > > Northern Fortress, Inc.
> > > =20
> > > On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:
> > > > Does anyone know of an application tester similar to AppDetective=20
> > > > thats not as hard on the pocket book?
> > > > I need to pentest a web app and am looking for some tools
> > > > =20
> > > > Thanks,
> > =20
> > =20

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------