Penetration Testing mailing list archives
Re: Which Commercial Web App Scanner?
From: Eric Milam <emilam () coretechsg com>
Date: Tue, 13 Oct 2009 20:58:32 -0700
I am learning Acunetix now and when used properly it is very effective. The Blind SQL injection piece is nice. You just really have to know the tool you are using. If it is an awesome tool, but you don't know anything about it, the net result is that your results will suck. On Tue, 2009-10-13 at 15:52 -0500, Todd Haverkos wrote:
Norma Snockers <norma.snockers () hotmail co uk> writes:Folks, I've read the threads, last one about 5 months ago... http://seclists.org/webappsec/2009/q2/68 and whilst very helpful, I'm still in a quandry. AppScan is expensive, so assuming that leaves WebInspect and Acunetix which one would you personally choose?FYI, AppScan Standard and SPI Webinspect are priced similarly last time I checked, so I wouldn't be so quick to rule AppScan out. You can download a trial of AppScan btw. I wouldnt' buy any tool without test driving it against a representative site with which I was familiar. I've used both, and like any automated app scanner, both with flag things that turn out to be false positives, and neither are a substitute for manual testing and review of business logic, and the like, but they are both excellent at automating a wide range of fuzzing and link discovery tests. My (admittedly biased) opinion tilts towards Appscan. I've not used Acunetix, but I've listened to more than a few podcasts where Ryan Jones and Chris Nickerson (of Tiger Team and Exotic Liability fame) are very frank in their thoughts about it. It'd give me pause then to think of Acunetix in the same league as AppScan and SPI. -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Which Commercial Web App Scanner? Norma Snockers (Oct 13)
- Re: Which Commercial Web App Scanner? bugtraq (Oct 13)
- RE: Which Commercial Web App Scanner? Onur YILMAZ (Oct 13)
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 15)
- Message not available
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 19)
- Re: Which Commercial Web App Scanner? Ivan . (Oct 21)
- Re: Which Commercial Web App Scanner? Roman Medina-Heigl Hernandez (Oct 15)
- Message not available
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)
- Re: Which Commercial Web App Scanner? Rodrigo Montoro(Sp0oKeR) (Oct 15)
- Re: Which Commercial Web App Scanner? Eric Milam (Oct 15)
- RE: Which Commercial Web App Scanner? Darren Webb (Oct 19)
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)
- Re: Which Commercial Web App Scanner? Luca Carettoni (Oct 19)
- RE: Which Commercial Web App Scanner? Norma Snockers (Oct 19)