RE: Open Source Application Vulnerability Assessment Tools

["Arian J. Evans" <arian.evans () anachronic com>]

ps - In my haste below I failed to clarify that
I meant "open source domain" in reference to automation.

There are a variety of commercial tools, but in
the non-commercial space, nothing (worth using). </0.02>

For manual tools, WebScarab and Paros are easy and
WebScarab has become quit feature rich. Ben, you
might try taking a look at WebScarab and extending
that, instead of starting YALGRITLPWP (yet another
lets go re-invent the local proxy wheel project).

It's simply too hard to pronounce to be successful.

-ae

(though nobody has made an OSS web fuzzer worth
anything; the only thing close is Burp Intruder.
Which tells me there are a lot of "web app security
consultants" that do not provide much depth in
their pen testing process, unless everybody's got
a Peach Fuzzer/SPIKE script in their back pocket
and I simply haven't heard about it

In the mean time, this would be a good project)
 

> -----Original Message-----
> From: Ben Hall [mailto:ben2004uk () googlemail com] 
> Sent: Monday, October 02, 2006 5:12 AM
> To: dotevansanachronic.com () securityfocus com; 
> arian.evans () anachronic com
> Cc: Aman Raheja; Brokken, Allen P.; webappsec () securityfocus com
> Subject: Re: Open Source Application Vulnerability Assessment Tools
>
> Hello,
>
> This is a topic close to my heart at the moment as I am looking at
> creating a tool like this for my undergraduate Comp Sci degree here in
> the UK.
>
> I have two choices at the moment (all would be released as 
> OSS if it works),
>
> ASP.net Static Code Analyzer for security weaknesses which I think
> could be a useful tool for developers to help educate and project
> their code.
>
> Black Box testing software, for Pen Testers to easily edit different
> parts of requests, forge their own valid requests, integrated browser,
> source code (html) live editor, profiler etc -  very manual,  but
> everything is nicely integrated and extendable.
>
>
> How can an attack be automated? I have saw applications which
> automatically try for SQL injection on all the fields, brute
> force/attack authentication.  But its very much, separate apps for
> separate attacks (or so I have found).
>
> What would a prefect application do?
>
> Anyone got an suggestions on my ideas?
>
> Thanks for your time
>
> Ben
>
> On 01/10/06, Arian J. Evans <arian.evans () anachronic com> wrote:
> > The lack of info is because, in this domain,
> > there really isn't anything in the "automated
> > web app scanner" domain worth using.
> >
> > For manual testing, there are a ton of tools.
> >
> > Undertaking the creation of one is challenging.
> >
> > The variables are certainly far, far higher
> > than harnessing a scripted testing engine
> > and regex matcher to a port scanner/protocol
> > fingerprinter, a'la Nessus.
> >
> > This is a much harder problem, more variables,
> > and not many folks do a good job at it. (These
> > are smart folks too, but it's a hard problem).
> >
> > </free_lunch>
> >
> > -ae
> >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com
> > > [mailto:listbounce () securityfocus com] On Behalf Of Aman Raheja
> > > Sent: Thursday, September 28, 2006 4:01 PM
> > > To: Brokken, Allen P.; webappsec () securityfocus com
> > > Subject: Re: Open Source Application Vulnerability 
> Assessment Tools
> > > Some tools are listed here
> > >
> > > http://sectools.org/web-scanners.html
> > >
> > > Aman Raheja, CISSP
> > > PGP Key: www.techquotes.com/araheja.asc
> > >
> > >
> > > On Wed, 27 Sep 2006 14:40:19 -0500, "Brokken, Allen P."
> > > <BrokkenA () missouri edu> wrote :
> > >
> > > > On this list we talk a lot about various vendor provided
> > > tools quite a
> > > > bit.  In general it appears most solutions are
> > > Windows-centric in their
> > > > installation even if they work against multiple platforms.
> > > >
> > > > With the prevalence of LAMP systems I would figure there
> > > must be some
> > > > means of doing a security assessment on their applications
> > > with native
> > > > tools.  It seems odd to me that there isn't a NESSUS 
> equivalent for
> > > > application testing.  I'm wondering what is available 
> from the Open
> > > > Source community in the way of
> > > >
> > > > * Black Box web assessment software
> > > > * Source code assessment software
> > > > * Assessment management software
> > > >
> > > > I'm more looking for names/urls to projects than I am for any
> > > > comparisons or descriptions.
> > > >
> > > > Allen Brokken
> > > >
> > > > Information Security and Account Management - IAT Services
> > > - University
> > > > of Missouri -brokkena () missouri edu - (573)884-8708
> > > --------------------------------------------------------------
> > > -----------
> > > > Sponsored by: Watchfire
> > > >
> > > > It's been reported that 75% of websites are vulnerable to
> > > attack. That's
> > > > because hackers know to exploit weaknesses in web applications.
> > > > Traditional approaches to securing these assets no longer
> > > apply. Download
> > > > the "Addressing Challenges in Application Security"
> > > whitepaper today, and
> > > > see for yourself.
> > > https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
> > > 0000008Vmw
> > > >
> > > --------------------------------------------------------------
> > > ------------
> > > >
> > >
> > > --------------------------------------------------------------
> > > -----------
> > > Sponsored by: Watchfire
> > >
> > > It's been reported that 75% of websites are vulnerable to
> > > attack. That's
> > > because hackers know to exploit weaknesses in web applications.
> > > Traditional approaches to securing these assets no longer
> > > apply. Download
> > > the "Addressing Challenges in Application Security"
> > > whitepaper today, and
> > > see for yourself.
> > >
> > > https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
> > > 0000008Vmw
> > > --------------------------------------------------------------
> > > ------------
> --------------------------------------------------------------
> -----------
> > Sponsored by: Watchfire
> >
> > It's been reported that 75% of websites are vulnerable to 
> attack. That's
> > because hackers know to exploit weaknesses in web applications.
> > Traditional approaches to securing these assets no longer 
> apply. Download
> > the "Addressing Challenges in Application Security" 
> whitepaper today, and
> > see for yourself.
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70150
> 0000008Vmw
> >
> --------------------------------------------------------------
> ------------
> >


-------------------------------------------------------------------------
Sponsored by: Watchfire

Today's hackers exploit web applications to expose, embarrass and even 
steal. Firewalls and SSL may be commonplace but recent studies indicate 3 
out of 4 websites remain vulnerable to attack. Watchfire's "Addressing 
Challenges in Application Security" whitepaper explains what to do and 
provides a guideline to improving your own application security. 
Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmw
--------------------------------------------------------------------------