[Owasp-austin] Web Application Security Scanners

Matt Tesauro mtesauro at gmail.com
Fri Oct 3 13:37:05 EDT 2008


David,

[tools]
For commercial Web App Scanners look at:
* IBM Rational AppScan (formerly Watchfire's product)
http://www-01.ibm.com/software/awdtools/appscan/
* HP WebInspect (formerly SPI Dynamics)
https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-201-200^9570_4000_100__

* Cynzic has recently added Web App Scanning to their products as well, 
though AppScan and WebInspect are the big players in the commercial world.
http://www.cenzic.com/products_services/index.php

I agree with Josh that w3af is a very nice tool - particularly the new 
GUI is _very_ nice.
(Planned to be on the Portugal release of the OWASP Live CD 2008)
http://w3af.sourceforge.net/

You should probably look at Grendal Scan too (Not OWASP but GPL'ed).
(Currently on the SoC release of the OWASP Live CD 2008)
http://grendel-scan.com
   also
http://www.linux-magazine.com/online/news/grendel_scan_1_0_automatic_security_check_for_web_applications

Heck for "infrastructure" type issues with Web Apps, you'll get really 
far with Nikto 2:
(Planned to be on the Portugal release of the OWASP Live CD 2008)
http://www.cirt.net/nikto2

[lists]
As for lists, there's lots of them.  I enumerated 300+ web app tools 
when working on the SoC project.  All of them are linked off here:
http://mtesauro.com/livecd/index.php?title=Potential_Tool_List
   what's on the SoC release is here:
http://mtesauro.com/livecd/index.php?title=Current_Tool_List

Other lists by other parties:
http://sectools.org/web-scanners.html
http://www.owasp.org/index.php/Phoenix/Tools
https://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners

That should keep you busy for a while  ; )

BTW, I've got AppScan where I work so I could show you it if you are 
considering a purchase.  Just let me know.  Its NOT cheap at all.

-- Matt Tesauro
OWASP Live CD 2008 Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
http://mtesauro.com/livecd/ - Documentation Wiki


David Hughes wrote:
> All,
> 
> While I've had experience with vulnerability scanners (Core, Nessus, 
> etc) I've never really looked into what's out there with regards to vuln 
> scanners that focus on Web Application Vulnerability scanning.  I'm 
> trying to compile a list of security tools that are "out there" and was 
> wondering what you all know about/use/recommend.  I have a pretty full 
> list of other tools, but my web app section is pretty lean. Any 
> thoughts? Could be open source, commercial, etc.
> 
> Thanks
> 
> David H.
> 
> -- 
> David Hughes, CISSP,MCSA,MCSE
> In-Depth Security
> 823 Congress Avenue, #1510
> Austin, TX  78701
> office:512.394.3754
> mobile: 512.623.9550
> www.indepthsec.com <http://www.indepthsec.com>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Owasp-austin mailing list
> Owasp-austin at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-austin


More information about the Owasp-austin mailing list