WebApp Sec mailing list archives
RE: Web Application Tester
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 30 Sep 2004 12:42:49 -0500
Andrew, (X-post to web apps since I think that's where this should be): I'll summarize my experiences with webappsec testing and I hope this will help you with tool selection: Manual testing--has to happen, human eyeballs required to identify everything from session state issues to overly rich error messages Automated testing with scripts/scanners--saves time, catches many things tired eyeballs miss. Good for finding technical issues but not functional issues (see manual). Short answers: Free--Check out Paros and Webscarab. Cheap--Check out WebSleuth additional functionality scripts Costly--SPI WebInspect and SPI Toolkit (if you test a lot of large enterprise apps I highly recommend investigating one of the four commercial apps listed below) Free manual testing: *Firefox, LiveHTTP headers, plus one of the free proxies *IE, HTMLbar plugin, plus one of the free proxies. *Paros--this has some automated and some manual testing abilities. It's the best free windows tool I've found. *Webscarab--like Paros, also nice. *SPIKE--if you know C and are willing to code your own tests, this is a very powerful tool. Time-consuming to use. I find the *nix-based CGI/known-file scanners mostly a waste of time (e.g.-Nikto, whisker, etc etc), but I'm typically testing enterprise apps built with security in mind, and sample files installed are pretty much not the issue. Free proxies: *SPIKE proxy, *Achilles, many others for both Windows and Linux (see history of *Webscarab at OWASP.org). Commercial: *@stake now Symantec Web Proxy 2.0: this tool is cheap and crude and limited. Few things you can do well with it IMO. *N-stalker falls into the about-useless CGI/known-file scanner IMO. Again, context is important--I mean useless for what I am doing; might be useful for a simple app on an unpatched/hardened IIS 4.0/ASP 3.0 type setup. *WebSleuth is cheap, great for manual testing, and there are a lot of scripts out there to aid in automated crawling, cookie testing, etc. If WebInspect didn't exist, I'd use WebSleuth a lot. Even now, I like its source view better than WI, though WI's HTML request/response editor is the best of any of these tools. The big four commercial scanners: all of these have their bugs/quirks/limitations, and tend to over hype certain types of vulnerabilities (see WI's .printer check for example, and read the finding, and note that it doesn't actually *check* for a vulnerability) SPI WebInspect--this is the most mature of the commercial tools IME/IMO. I use this extensively. Sanctum AppScan--like the interface, filter/sort etc. Fast. Limited for manual testing, which makes it unusable for me. Kavado Scando--somewhere between WI and AppScan, and cheaper than both, but less mature as well. AppSecInc AppDetective--WebInspect 1.0. Not very mature at present state. SPI also offers "SPI Toolkit" which adds some essential tools for manual testing, like a commercial fuzzer. The cookie testing tool also offsets WebInspects weakness at analyzing session cookies. These tools are all evolving and my thoughts on these could change next week if somebody makes a huge leap in functionality, so do your own homework. Arian Evans Sr. Security Engineer FishNet Security KC Office: 816.421.6611 Direct: 816.701.2045 Toll Free: 888.732.9406 Fax: 816.474.0394 http://www.fishnetsecurity.com
-----Original Message----- From: Andrew Bagrin [mailto:abagrin () gmail com] Sent: Tuesday, September 14, 2004 5:50 PM To: pen-test () securityfocus com Subject: Web Application Tester Does anyone know of an application tester similar to AppDetective thats not as hard on the pocket book? I need to pentest a web app and am looking for some tools Thanks, -- Andrew Bagrin andrew () bagrin com -------------------------------------------------------------- ---------------- Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------- -----------------
The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: Web Application Tester Evans, Arian (Sep 30)