Re: out of box scanner

[Rob Fuller <jd.mubix () gmail com>]

I completely agree with Aleph - Burp is the way to go if you are
looking for the best of breed, but for the zero-to-report type
scanner, please see the aforementioned list.

--
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com


On Mon, Nov 30, 2009 at 3:51 PM, Aleph One <al3ph.one () gmail com> wrote:
> If you are looking for only scanners, then may be above scanners are in the right league. You can happily ignore the 
> further part of this post.
> If you are looking for best web application tool involving manual and automated techniques, Burp rules the web app 
> pen testing today. Webscarab,paros and most of the others had many limitations that were overcame by this tool and is 
> still improving.
> You should verify it with other people or pen testers through your first/second degree network to get a direct 
> feedback.
> These scanners are alright if you have to scan and throw away reports just for the heck of scanning or doin git for 
> the clients who do not know what is pen testing beyong vulnerabilitiy assessment.. In order to find out issues 
> technically, such as SQL Injection or say CSRF , these tools may not do so off the track at some parameters that may 
> be outside the scope of the way scanner is coded. It will just use those filters/checks specfically built inside 
> unlike a manual technique combined with some automated techniques.
> I am not at all related with burp or any of the guys associated with tool. Hope my suggestion is taken as neutral.
>
> On Mon, Nov 30, 2009 at 2:33 PM, Rob Fuller <jd.mubix () gmail com> wrote:
> > I would highly suggest taking a look at the scanner list here:
> > http://webappsec.pbworks.com/Web-Application-Security-Scanner-List
> >
> > Seems to be the most comprehensive list... (at least that I've seen)
> >
> > --
> > Rob Fuller | Mubix
> > Room362.com | Hak5.org | TheAcademyPro.com
> >
> >
> > On Mon, Nov 30, 2009 at 4:24 AM, Onur YILMAZ <contact () onuryilmaz info> wrote:
> > > You can try Netsparker;
> > >
> > > http://www.mavitunasecurity.com
> > >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> > > Behalf Of John Bennett
> > > Sent: Wednesday, November 25, 2009 6:16 PM
> > > To: pen-test () securityfocus com
> > > Subject: out of box scanner
> > >
> > > I'm currently evaluating some commercial scanners and wanted to get a
> > > feel for others experiences with appscan/cenzic/webinspect.  Any
> > > gotcha's with any of these products and can anybody recommend one over
> > > the other?
> > >
> > > thanks,
> > > John
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification Review Board
> > >
> > > Prove to peers and potential employers without a doubt that you can actually
> > > do a proper penetration test. IACRB CPT and CEPT certs require a full
> > > practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification Review Board
> > >
> > > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB 
> > > CPT and CEPT certs require a full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification Review Board
> >
> > Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> > and CEPT certs require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
>
>
> --
> 4E 6F 6C 69 67 68 74 61 74 74 68 65 65 6E 64 6F 66 74 75 6E 6E 65 6C 79 65 74 21

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------