RE: Web application Security Scanner

["tgoogle" <tgoogle () yandex ru>]

Ok
I define concretely my task. 

I wish to find quickly potential holes (XSS, SQL injection and e.t.c.) in the any Web sites, for example www.yandex.ru. 
I do not know, what OS or database using on server.

Many program can find only known CGI bugs or need some interactive with database or environment. 




> I do not actually think that any of the tools listed below are what you are
> looking for.
>
> * Nikto is a web vulnerability scanner that can identify KNOWN
> vulnerabilities, as well as some variations on them. It is unable to
> understand application logic or identify any custom security
> vulnerabilities.
> * Nessus is much like Nikto - only it's not limited to web. 
> * Absinthe is the only tool that can help with custom application
> vulnerabilities, but it's not really an automated scanner such as the one
> you are looking, but rather an assisting the exploitation of SQL Injection.
> It still requires a certain level of expertese to succesfully operate. 
>
> I think what you are looking at is rather one of the commercial tools, such
> as SPI Dynamics WebInspect, Watchfire's AppScan or KaVaDo's ScanDo. 
>
> Ofer Maor
> CTO
> Hacktics (http://www.hacktics.com/)
>
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of tgoogle
> Sent: Monday, June 13, 2005 19:10
> To: full-disclosure () lists grok org uk
> Cc: deepquest () mac com
> Subject: Re: [Full-disclosure] Web application Security Scanner
>
>
> Thanks,
>
> I shall test all these programs, tomorrow I send my results. For example, i
> try to find vulnerabilities in www.yandex.ru and www.google.ru sites :).
>
> You really consider that all these programs are capable found vulnerability
> in UNKNOWN scripts?
>
> I need BEST program, which can found Maximum bugs in any custom Web
> application.
>
>
> > http://www.0x90.org/releases/absinthe/
> > http://www.nessus.org/download/ with some plugins 
> > http://www.cirt.net/code/nikto.shtml
> >
> > The "best" depends of your target, the OS you use, if you looking for
> > opensource products or commercial ones.
> > Just google there many of them.
> >
> >
> > Deepquest
> > "Justification of windows usage is a combinaison of Stockholm
> > Syndrome and cognitive dissonance."
> > --------------------------------------------------------------
> > Propaganda              http://deepquest.code511.com/blog
> > FIB                     http://www.futureisbeta.com
> > PGP DH/DSS              http://www.futureisbeta.com/pgp
> > --------------------------------------------------------------
> >
> > > Did you know the best Web app security scanner?
> > >
> > > I need scanner, which would find SQL injections, XSS, php include  
> > > and other bug in unknown Web application.
> > >
> > > Thanks
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> -- 
> Яндекс.Почта: объем почтового ящика не ограничен!
> http://mail.yandex.ru/monitoring/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
"Спамооборона" - почта без спама в вашем офисе!  http://so.yandex.ru/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/