RE: Web Application Source Vulnerability Scanners

["Rose, Tracey" <Tracey.Rose () bestsoftware com>]

it is nearly impossible to find on wiretapped.  But it is here:
http://www.mirrors.wiretapped.net/security/vulnerability-assessment/spike/

-----Original Message-----
From: Dave Aitel [mailto:dave () immunitysec com]
Sent: Tuesday, March 04, 2003 4:06 PM
To: webappsec () securityfocus com; ory.segal () sanctuminc com;
securityarchitect () hush com
Subject: Re: Web Application Source Vulnerability Scanners


Not to mention there are MANY open source tools that do all those things.
SPIKE Proxy (which I wrote) doesn't automatically detect that you got kicked
out of session, but it would be fairly easy to patch it up to do so, once
you realized that was happening. It maintains whatever cookies you happen to
have, and you can start mutiple scans using multiple cookies at once, if you
so choose.You can even specify a particular cookie to be used while you
spider - actually, this happens automatically once you choose your starting
request.

Which reminds me, does anyone have a mirror of the Win32 package for SPIKE
Proxy? I'm currently in New Zealand, which is preventing me from kicking
Verizon around until they fix the DSL line the Immunity web site runs off
of, and I keep getting e-mailed requests for it. Apparantly it is impossible
to find on packetstorm or wiretapped. Is there any possibility of a mirror
on OWASP?

Dave Aitel
SPIKE Proxy: The next generation of tools.


----- Original Message -----
From: <securityarchitect () hush com>
To: <webappsec () securityfocus com>; <ory.segal () sanctuminc com>
Sent: Wednesday, March 05, 2003 5:48 AM
Subject: RE: Web Application Source Vulnerability Scanners


> I know this list doesn't cater for commercial tool discussions
specifically so choosing words carefully moderator ;-)
> To counter that you should look at the latest review of commercial tools.
All failed pretty miserably and the general recomendation was to wait until
the next generation of tools come out.
> http://www.infosecuritymag.com/2003/jan/cover.shtml
>
>
> On Tue, 04 Mar 2003 07:25:02 -0800 Ory Segal <ory.segal () sanctuminc com>
wrote:
> > Hi,
> >
> > The problem with most open source tools is that they are very strong
> > in
> > CGI Scanning, but when it comes to mutating real HTTP requests,
> > and
> > testing the web application layer, they lack good engine features.
> > They
> > do not have features such as:
> > 1) Application level tests such as manipulation of : HTML form
> > parameters (SQL Inj., Buffer Overflows, Poison null byte, Format
> > strings
> > bugs, Cookies, HTTP Headers etc...)
> > 2) Automatic testing validation.
> > 3) Good reporting abilities
> > 4) Session management/Transient management - Keeping the scanner
> > 'in
> > session'. This gives you the ability to scan web applications that
> > force
> > you to login, and may kick you out of session, if you caused some
> > error
> > - I believe that most large web apps have this. I believe that AppScan
> >
> > is the only scanner to perform this action.
> > 5) Good performance
> > 6) Contstant updates.
> > 7) Logging of raw HTTP traffic
> > 8) The ability to easily implement new tests.
> >
> > -Ory Segal.
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Big $$$ to be made with the HushMail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427