[OWASP-GUIDE] [OWASP-GUIDE]

Ray Stirbei ray at highentropy.org
Sun Jun 29 15:21:12 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi Gene,

As Mark said, WebScarab is a great place to start.  We should put some white
papers on the portal for some of the esoteric details not mentioned in the
guide.

In terms of openproxy, I never seen such a tool but it looks like it was 
written by Steve Taylor and it has been incorporated in Webscarab. But you 
are not the first person to ask this question:

http://www.securityfocus.com/archive/107/314290/2003-03-02/2003-03-08/0

I will try to change the documentation but in the meantime you have many
choices available for testing web applications.

(free tools)
spikeproxy - http://www.immunitysec.com/
exodus - http://mysite.mweb.co.za/residents/rdawes/exodus.html
achilles - http://achilles.mavensecurity.com
penproxy - http://shh.thathost.com/pub-java/html/PenProxy.html
mangle - http://mysite.mweb.co.za/residents/rdawes/homepage.html
odysseus - http://www.wastelands.gen.nz/odysseus/

(commercial)
Sanctum AppScan - http://www.sanctuminc.com/solutions/appscan/de/index.html
SpiDynamics WebInspect - https://www.spidynamics.com/productline/WE_over.html
Kavado scando - http://kavado.com/ProductsScando.htm
@stake webproxy -  http://www.atstake.com/webproxy/

Additionally there are cgi scanners like nikto and whisker and general tools
like nessus. That should keep you busy for a while, and once you feel
comfortable with them I can send you some of my custom tools, which are less
polished and more specific in utility.

Cheers

Ray Stirbei


On Friday 20 June 2003 08:46 pm, Gene McKenna wrote:
> I haven't heard from anyone in a long time. What's going on with the latest
> version of the Guide?
> Also, I have gotten some of the security teams at some of our customer
> sites reading the current Guide and checking out the other resources at
> owasp.org. A gentlemen at EMC Corp is asking me the following. Can anyone
> help? I'm pursuing the path of self-teaching with regards to assessing the
> security of web applications primarily following the guidelines on
> www.owasp.org.  There is reference to OpenProxy being available there, but
> it is not.  Any ideas where I can get it?  or, reputable substitiute?
>
> Thanks
>
> GENE
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
> INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
> _______________________________________________
> Owasp-guide mailing list
> Owasp-guide at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-guide
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+/zwpXVG3Uid/9v8RAoQ9AKD+AeodWhROGnsLi8gI9ovSx53daQCdE6gH
Rj8rlaPSjKSb+TDRSWVHmVc=
=ndDi
-----END PGP SIGNATURE-----





More information about the Owasp-guide mailing list