Re: Web Application Source Vulnerability Scanners

Ory Segal wrote:
> Hi,
>
> The problem with most open source tools is that they are very strong in

Ok. Not completely true. Let's take a look at httpush: http://sourceforge.net/projects/httpush
(the answers would be similar if you took Spike proxy or other inline proxies)

> 1) Application level tests such as manipulation of : HTML form

It has a Plugin API in which you can code this tests. Some are already available.

> 2) Automatic testing validation.

It does not have those. But I don't understand the point of doing it either.

> 3) Good reporting abilities

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Good ol' text files.

> 4) Session management/Transient management - Keeping the scanner 'in
> session'. This gives you the ability to scan web applications that force
> you to login, and may kick you out of session, if you caused some error
> - I believe that most large web apps have this. I believe that AppScan
> is the only scanner to perform this action.

It does this fairly well since it's managed by the browser, httpush is a semi-transparent proxy.

> 5) Good performance

Fairly good performance as a proxy.

> 6) Contstant updates.

Not in httpush case but not really necessary.

> 7) Logging of raw HTTP traffic

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Httpush can do that.

> 8) The ability to easily implement new tests.

Same here.

Now, I don't develop httpush myself. But I find it a _very_ useful web application scanner. I think the same of Spike proxy and RFP Procy BTW. However, it's not a "web application _Source_ vulnerability scanner". But, then again, your answer does not answer the original post either (since you are not talking of _source_ scanners either)

Regards

Javi Received on Fri Mar 7 11:05:52 2003