RE: Web Application Source Vulnerability Scanners

When you say most, I'm guessing you're excluding at least Spike Proxy, see below:

> -----Original Message-----
> From: Ory Segal [mailto:ory.segal@sanctuminc.com]
> Sent: Tuesday, March 04, 2003 10:25 AM
> To: webappsec@securityfocus.com
> Subject: RE: Web Application Source Vulnerability Scanners
>
>
> Hi,
>
> The problem with most open source tools is that they are very

It's in there, though not as comprehensive as the commercial tools.

> 2) Automatic testing validation.

Not sure what this means?

> 3) Good reporting abilities

I don't think it has any reporting capabilities at all?

> 4) Session management/Transient management - Keeping the scanner 'in
> session'. This gives you the ability to scan web applications
> that force
> you to login, and may kick you out of session, if you caused
> some error
> - I believe that most large web apps have this. I believe
> that AppScan
> is the only scanner to perform this action.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Since it's mainly a proxy, your browser keeps it in session. For the static CGI checks it probably does not stay "in-session" with cookies, but I suspect that might not be too hard, at least for static session identifiers.

> 5) Good performance

Kinda hard to quantify. I would say Spike proxy has average performance for most tests - they are performed one-at-a-time rather than in parallel, like the current generation of many other tools.

> 6) Contstant updates.

There was a while there where you couldn't go two days without seeing another annoying announcement from Dave about the latest update to Spike proxy.

> 7) Logging of raw HTTP traffic

It's in there.

> 8) The ability to easily implement new tests.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

VulnXML support for implementing your own checks in a standards-compliant fashion.

Plus, fully open-source, so you can fix bugs if they annoy you enough.

Not as polished or comprehensive as commercial scanners, but it's free and it *is* application-level, and it *does* have tests for buffer-overflows and SQL injection and the like.

Phil Received on Tue Mar 4 15:16:52 2003