WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Web Application Tester

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 30 Sep 2004 12:42:49 -0500
Andrew, (X-post to web apps since I think that's where
this should be):

I'll summarize my experiences with webappsec testing and
I hope this will help you with tool selection:

Manual testing--has to happen, human eyeballs required
to identify everything from session state issues to overly
rich error messages

Automated testing with scripts/scanners--saves time,
catches many things tired eyeballs miss. Good for finding
technical issues but not functional issues (see manual).

Short answers:
Free--Check out Paros and Webscarab.
Cheap--Check out WebSleuth additional functionality scripts
Costly--SPI WebInspect and SPI Toolkit

(if you test a lot of large enterprise apps I highly recommend
investigating one of the four commercial apps listed below)

Free manual testing:

*Firefox, LiveHTTP headers, plus one of the free proxies

*IE, HTMLbar plugin, plus one of the free proxies.

*Paros--this has some automated and some manual
testing abilities. It's the best free windows tool I've found.

*Webscarab--like Paros, also nice.

*SPIKE--if you know C and are willing to code your own
tests, this is a very powerful tool. Time-consuming to use.

I find the *nix-based CGI/known-file scanners mostly a
waste of time (e.g.-Nikto, whisker, etc etc), but I'm typically
testing enterprise apps built with security in mind, and
sample files installed are pretty much not the issue.

Free proxies:

*SPIKE proxy, *Achilles, many others for both Windows
and Linux (see history of *Webscarab at OWASP.org).

Commercial:

*@stake now Symantec Web Proxy 2.0: this tool is
cheap and crude and limited. Few things you can
do well with it IMO.

*N-stalker falls into the about-useless CGI/known-file
scanner IMO. Again, context is important--I mean useless
for what I am doing; might be useful for a simple app on
an unpatched/hardened IIS 4.0/ASP 3.0 type setup.

*WebSleuth is cheap, great for manual testing, and
there are a lot of scripts out there to aid in automated
crawling, cookie testing, etc. If WebInspect didn't
exist, I'd use WebSleuth a lot. Even now, I like its
source view better than WI, though WI's HTML
request/response editor is the best of any of these tools.

The big four commercial scanners: all of these have
their bugs/quirks/limitations, and tend to over hype
certain types of vulnerabilities (see WI's .printer
check for example, and read the finding, and note
that it doesn't actually *check* for a vulnerability)

SPI WebInspect--this is the most mature of the
commercial tools IME/IMO. I use this extensively.

Sanctum AppScan--like the interface, filter/sort
etc. Fast. Limited for manual testing, which
makes it unusable for me.

Kavado Scando--somewhere between WI and AppScan,
and cheaper than both, but less mature as well.

AppSecInc AppDetective--WebInspect 1.0. Not very
mature at present state.

SPI also offers "SPI Toolkit" which adds some
essential tools for manual testing, like a commercial
fuzzer. The cookie testing tool also offsets WebInspects
weakness at analyzing session cookies.

These tools are all evolving and my thoughts on these
could change next week if somebody makes a huge
leap in functionality, so do your own homework.

Arian Evans
Sr. Security Engineer
FishNet Security

KC Office:  816.421.6611
Direct: 816.701.2045
Toll Free:  888.732.9406
Fax:  816.474.0394

http://www.fishnetsecurity.com



-----Original Message-----
From: Andrew Bagrin [mailto:abagrin () gmail com] 
Sent: Tuesday, September 14, 2004 5:50 PM
To: pen-test () securityfocus com
Subject: Web Application Tester

Does anyone know of an application tester similar to AppDetective
thats not as hard on the pocket book?
I need to pentest a web app and am looking for some tools

Thanks,

-- 
Andrew Bagrin
andrew () bagrin com

--------------------------------------------------------------
----------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one 
interaction
with one of our expert instructors. Check out our Advanced 
Hacking course,
learn to write exploits and attack security infrastructure. 
Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the 
skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------
-----------------






The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.
Previous By Date Next
Previous By Thread Next

Current thread: