[Owasp-austin] Web Application Security Scanners

Matt Tesauro mtesauro at gmail.com
Fri Oct 3 13:37:05 EDT 2008


For commercial Web App Scanners look at:
* IBM Rational AppScan (formerly Watchfire's product)
* HP WebInspect (formerly SPI Dynamics)

* Cynzic has recently added Web App Scanning to their products as well, 
though AppScan and WebInspect are the big players in the commercial world.

I agree with Josh that w3af is a very nice tool - particularly the new 
GUI is _very_ nice.
(Planned to be on the Portugal release of the OWASP Live CD 2008)

You should probably look at Grendal Scan too (Not OWASP but GPL'ed).
(Currently on the SoC release of the OWASP Live CD 2008)

Heck for "infrastructure" type issues with Web Apps, you'll get really 
far with Nikto 2:
(Planned to be on the Portugal release of the OWASP Live CD 2008)

As for lists, there's lots of them.  I enumerated 300+ web app tools 
when working on the SoC project.  All of them are linked off here:
   what's on the SoC release is here:

Other lists by other parties:

That should keep you busy for a while  ; )

BTW, I've got AppScan where I work so I could show you it if you are 
considering a purchase.  Just let me know.  Its NOT cheap at all.

-- Matt Tesauro
OWASP Live CD 2008 Project Lead
http://mtesauro.com/livecd/ - Documentation Wiki

David Hughes wrote:
> All,
> While I've had experience with vulnerability scanners (Core, Nessus, 
> etc) I've never really looked into what's out there with regards to vuln 
> scanners that focus on Web Application Vulnerability scanning.  I'm 
> trying to compile a list of security tools that are "out there" and was 
> wondering what you all know about/use/recommend.  I have a pretty full 
> list of other tools, but my web app section is pretty lean. Any 
> thoughts? Could be open source, commercial, etc.
> Thanks
> David H.
> -- 
> David Hughes, CISSP,MCSA,MCSE
> In-Depth Security
> 823 Congress Avenue, #1510
> Austin, TX  78701
> office:512.394.3754
> mobile: 512.623.9550
> www.indepthsec.com <http://www.indepthsec.com>
> ------------------------------------------------------------------------
> _______________________________________________
> Owasp-austin mailing list
> Owasp-austin at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-austin

More information about the Owasp-austin mailing list