RE: Web Application Source Vulnerability Scanners

You might want to have a look at
http://mysite.mweb.co.za/residents/rdawes/exodus.html

It is the homepage of Exodus, a Java web proxy currently under development, but it also has links to a number of other similar tools.

>From the page:

Functionality existing in Exodus today

• Proxies HTTP and HTTPS connections
• supports upstream HTTP proxies (HTTPS coming soon)
• support Basic-Auth and Proxy Basic-Auth (NTLM support will come if there is a need for it, I'm sure!)
• Supports interception and modification of requests and responses (individually selectable)
• Shows a log of requests received by the proxy, modifications made by the user/proxy, responses from the server, and modifications made to the response
• Can render HTML responses to the screen

Exodus may be added to the OWASP project, as a complementary tool to PenProxy, OpenProxy and WebScarab. Since they are all GPL'd, there will almost certainly be cross-pollenation between them if that does not happen.

Rogan

-----Original Message-----
From: Rosado, Rafael (Rafael) [mailto:rarosado@lucent.com] Sent: 27 February 2003 09:27 PM
To: webappsec@securityfocus.com; cisspforum@yahoogroups.com Subject: Web Application Source Vulnerability Scanners

Does anyone know of open source vulnerability scanners in the Web Application Source Code security market segment? I am familiar and aware of the most common commercial tools (AppScan from Sanctum and WebInspect from SpiDymanics). The Open Web Application Application Security Project (OWASP) has started the development of an open source Weeb Application Vulnerability scanner called WebScarab, however, it is in the early stages of development.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Any assistance on indentifying specific open source tools (names and web sites were to download) are greatly appreciated.

Rafael Rosado, CISSP, CISA
IT Security Manager
Caribbean and Latin America Region (CALA) & Global Risk Assessment and Penetration Testing Lucent Technologies O
Corporate Security
Business Assurance and Risk Mitigation Services (B.A.R.M.S.) 2400 SW 145th Avenue - Room 3S039
Miramar, Florida 33027

+1 954-885-2176 (voice) *
+1 954-885-3861 (fax) * 
+1 954-648-3532 (mobile) or 9546483532@mobile.att.net (text message) *

This electronic mail message contains information belonging to Lucent Technologies, which may be confidential and/or legal privileged. The information is intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronically mailed information is strictly prohibited. If you receive this message in error, please immediately notify us by electronic mail and delete this message. Received on Fri Feb 28 11:38:46 2003